AT&T Data Breach Exposes Call and Text Records of Tens of Millions, Raising National Security Concerns

In a massive data breach, tens of millions of AT&T cellphone customers, along with many non-AT&T users, had their call and text message records exposed from mid-to-late 2022, as revealed by AT&T on Friday. This breach impacted the telephone numbers of nearly all AT&T cellular customers and those of wireless providers using its network from May 1, 2022, to October 31, 2022. The compromised logs included records of every number AT&T customers called or texted, the interaction frequency, and call duration, but did not encompass the contents of the communications or their timestamps.

AT&T noted that the records of a small number of customers from January 2, 2023, were also affected. The Federal Communications Commission (FCC) acknowledged the ongoing investigation, stating on social media platform X, “We have an ongoing investigation into the AT&T breach and we’re coordinating with our law enforcement partners.”

The breach was attributed to an “illegal download” on a third-party cloud platform discovered in April, coinciding with an unrelated major data leak. Although AT&T believes the exposed data is not publicly available, CNN could not independently confirm this. AT&T spokesperson Alex Byers emphasized that this incident was distinct from a previous one disclosed in March, where Social Security numbers of 73 million current and former customers were released on the dark web. “We sincerely regret this incident occurred and remain committed to protecting the information in our care,” AT&T stated.

With around 110 million wireless subscribers at the end of 2022, AT&T clarified that international calls were not included in the stolen data, except for those to Canada. The breach also involved AT&T landline customers who interacted with affected cell numbers. While sensitive personal information like Social Security numbers, birth dates, or customer names were not exposed, AT&T acknowledged that publicly available tools could link names with specific phone numbers. Additionally, cell site identification numbers linked to calls and texts for some records were exposed, potentially revealing the broad geographic location of one or more parties.

AT&T indicated that at least one individual involved in the cybercriminal incident is in custody, as stated in a Securities and Exchange Commission filing. The FBI declined to comment on this matter. AT&T assured that they would notify affected customers and provide resources to protect their information. Although specific usage details like the time of calls and text messages were not compromised, Byers confirmed that the number of calls and texts and total call durations for certain days or months were exposed. This data could not identify precise call times but could reveal interaction frequency and duration on specific days.

On April 19, AT&T learned that a “threat actor claimed to have unlawfully accessed and copied AT&T call logs,” prompting immediate action and expert investigation. The hackers had exfiltrated files between April 14 and April 25. The Department of Justice determined in May and June that a delay in public disclosure was necessary, citing potential national security or public safety risks. The FBI confirmed this in a statement, “In assessing the nature of the breach, all parties discussed a potential delay to public reporting… due to potential risks to national security and/or public safety. AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”

This marks the first known instance where the Justice Department asked a company to delay an SEC disclosure due to national security or public safety concerns. Sanaz Yashar, co-founder and CEO of cybersecurity firm Zafran, highlighted the potential dangers, “This is very concerning. This information is very valuable to cyber criminals and to nation-states.” Justin Sherman, founder of Global Cyber Strategies, added, “Metadata about who’s communicating with who, at massive scale, enables someone to map connections between people — think journalists and sources, intelligence officers and their contacts, married people and those with whom they’re having an affair.” Jason Hogg, a former FBI special agent, noted the significance of the cell site data, “It could allow bad actors to determine certain consumers’ geolocation, which could be used to make social engineering attacks more believable.”

Following the news, AT&T shares dropped by 1% on Friday. In this incident, AT&T disclosed that customer data was illegally downloaded from its workspace on Snowflake, a third-party cloud platform. This platform has been linked to other recent massive data breaches involving companies like Ticketmaster and Santander Bank. Mandiant, a Google-owned cybersecurity firm, has notified at least 165 organizations potentially affected by the hacking spree. Mandiant analysts have “moderate confidence” that the hackers are based in North America and collaborate with someone in Turkey.

Brad Jones, chief information security officer at Snowflake, stated that no evidence was found indicating a vulnerability, misconfiguration, or breach of Snowflake’s platform, as verified by third-party cybersecurity experts Mandiant and CrowdStrike. AT&T launched an investigation, hired cybersecurity experts, and took steps to close the “illegal access point.”

The massive data breach of AT&T exposed the call and text records of millions, sparking concerns over national security and public safety, and highlighting the ongoing vulnerabilities in digital infrastructure and data protection practices.