AT&T, one of the largest telecoms companies in the US, has disclosed that hackers have stolen more than six months of call and text message records from nearly all of its cellular network customers, exposing the confidential data of millions of Americans.
Based on its internal investigation, the company said that hackers unlawfully downloaded customer data from its workspace on a third-party cloud platform between April 14 and April 25, the Dallas-headquartered company said in a Securities and Exchange Commission filing on Friday.
It said that hackers had stolen files containing records of customer calls and texts that occurred between May 1 and October 31, 2022, as well as on January 2 last year.
Following the disclosure, the company’s stock dropped 0.40 per cent to trade at $18.78 a share at 2pm New York time (10pm UAE time).
The company first came to know about the hacker's claim of unlawfully gaining access to AT&T call logs on April 19. It added that the stolen data did not encompass the actual content of calls and text messages or the timestamps of those communications.
“The data does not contain the content of calls or texts, personal information such as social security numbers, dates of birth, or other personally identifiable information,” the company said in a regulatory filing.
“Current analysis indicates that the [compromised] data includes records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators using AT&T’s wireless network.”
AT&T said that although the compromised data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.
The company’s wireless network has more than 127 million devices connected to it, per AT&T’s 2023 annual report.
The US Federal Communications Commission has also started an investigation into this incident.
“We have an ongoing investigation into the AT&T breach and we are co-ordinating with our law enforcement partners,” the FCC said in post on X, previously known as Twitter, on Friday.
AT&T said, based on the information provided, it believed that at least one person has been apprehended by law enforcement on suspicion of involvement in the hack.
“We will provide notice to current and former customers whose information was involved along with resources to help protect their information,” the company said on Friday.
AT&T's history of breaches and controversies
This is not the first time the US telecoms company has been caught on the wrong foot.
In March, AT&T said personal information, including social security numbers, of about 7.6 million current and almost 65.4 million former customers was released on to the dark web.
In December 2022, the company agreed to pay a $6.25 million penalty to settle a lawsuit by the SEC, which accused it of selectively leaking financial information to Wall Street analysts.
Filed in March 2021, the SEC lawsuit accused AT&T and three investor relations executives of leaking details about its smartphone business to 20 firms.
Justice Department delays public disclosure
AT&T said the US Department of Justice had suggested delaying the disclosure of the matter to the public.
“On May 9, 2024, and again on June 5, 2024, the US Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted,” it said in the filing without giving any further reason
CNN Business quoted an FBI statement as saying: “In assessing the nature of the breach, all parties discussed a potential delay to public reporting … due to potential risks to national security and/or public safety.
“AT&T, FBI and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”
