The call and text message records from mid-to-late 2022 of tens of millions of AT&T cellphone customers and many non-AT&T customers were exposed in a massive data breach, the telecom company revealed Friday.
AT&T said the compromised data includes the telephone numbers of “nearly all” of its cellular customers and the customers of wireless providers that use its network between May 1, 2022 and October 31, 2022.
The stolen logs also contain a record of every number AT&T customers called or texted – including customers of other wireless networks – the number of times they interacted, and the call duration.
Importantly, AT&T said the stolen data did not include the contents of calls and text messages nor the time of those communications.
The records of a “very small number” of customers from January 2, 2023, were also implicated, AT&T said.
“We have an ongoing investigation into the AT&T breach and we’re coordinating with our law enforcement partners,” the FCC said on social media platform X.
The company blamed an “illegal download” on a third-party cloud platform that it learned about in April – just as the company was grappling with an unrelated major data leak.
AT&T says that the exposed data is not believed to be publicly available, however CNN was unable to independently verify that assertion.
AT&T spokesperson Alex Byers told CNN that this was an entirely new incident that had “no connection in any way” to another incident disclosed in March. At that time, AT&T said personal information such as Social Security numbers on 73 million current and former customers was released onto the dark web.
“We sincerely regret this incident occurred and remain committed to protecting the information in our care,” the company said in a statement about the latest breach.
AT&T listed approximately 110 million wireless subscribers as of the end of 2022. AT&T said international calls were not included in the stolen data, with the exception of calls to Canada.
The breach also included AT&T landline customers who interacted with those cell numbers.
AT&T said that contents of the calls or texts, personal information such as Social Security numbers, dates of birth, or customer names were not exposed in this incident, however the company acknowledged that publicly available tools can often link names with specific phone numbers.
Additionally, AT&T said that for an undisclosed subset of its records, one or more cell site identification numbers linked to the calls and texts were also exposed. Such data could reveal the broad geographic location of one or more of the parties.
AT&T promised to notify current and former customers whose information was involved and provide them resources to protect their information.
Usage details such as the time of calls and text messages were not compromised either. But AT&T spokesperson Byers told CNN that the number of calls and text messages, and total call durations for specific days or months were exposed.
That means the data would not identify precisely when one phone number called another but could reveal how often two parties called each other – and how long they spoke for – on specific days.
AT&T said it learned on April 19 that a “threat actor claimed to have unlawfully accessed and copied AT&T call logs.” The company said it “immediately” hired experts and a subsequent investigation determined hackers had exfiltrated files between April 14 and April 25.
Justice Department delays public disclosure
The company said the US Department of Justice Department determined in May and in June that a delay in public disclosure was warranted. The FBI said AT&T reached out shortly after learning about the hack, but the agency wanted to review the data for potential national security risks.
“In assessing the nature of the breach, all parties discussed a potential delay to public reporting… due to potential risks to national security and/or public safety,” the FBI said in a statement. “AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”
“This is very concerning. This information is very valuable to cyber criminals and to nation-states,” Sanaz Yashar, co-founder and CEO of cybersecurity firm Zafran, told CNN.
Yashar, previously an Israeli cyber spy, said threat actors can correlate the cell ID data with other information readily available to pinpoint where someone works – including at sensitive locations like the White House and Pentagon
“You don’t need the timestamp. If someone is there everyday, you can understand they work their and their routine. This is very secret information and a way that spies do stuff.”
AT&T shares fell 1% on Friday following the news.
In the new incident, AT&T told CNN it learned in April that customer data was illegally downloaded from its workspace on Snowflake, a third-party cloud platform.
Brad Jones, chief information security officer at Snowflake, told CNN in a separate statement that the company has not found evidence this activity was “caused by a vulnerability, misconfiguration or breach of Snowflake’s platform.” Jones said this has been verified by investigations by third-party cybersecurity experts at Mandiant and CrowdStrike.
AT&T said it launched an investigation, hired cybersecurity experts and took steps to close the “illegal access point.”
The company said it’s cooperating with law enforcement’s efforts to apprehend those responsible and understands at least one person has already been arrested.