Telecommunications giant AT&T has disclosed a security incident that compromised the records of calls and texts of “nearly all” of its wireless customers over certain periods of time.
The company first learned of the incident on April 19, when an unnamed threat actor claimed to have accessed and copied call logs. Upon further investigation, AT&T found threat actors had accessed an AT&T workspace on a third-party cloud platform. Between April 14 and April 25, the attackers were able to exfiltrate files containing AT&T records call and text interactions that were made between May 1 and Oct. 31, 2022, and on Jan. 2, 2023. A subset of stolen records included one or more cell site identification numbers, the unique location-related identifiers that are assigned to individual cell towers on wireless communication networks.
The data did not contain the content of calls or texts, according to AT&T. It also did not include personal information like social security numbers or dates of birth. However, AT&T said that while the data does not include customer names, there are publicly available online tools that can help associate names with specific telephone numbers.
“Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network,” according to AT&T both in an SEC Form 8-K filing and on its website. “These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month.”
AT&T said that it has taken steps in response to the incident to secure the impacted workspace, and it plans to provide data breaches notices for current and former impacted customers. At the same time, as of the date of the filing the company said it does not believe the data is publicly available, and it believes that at least one person has been apprehended in the attack.
Earlier this year in March, the company had responded to a separate data set being released on the dark web, which appeared to contain data from 2019 or earlier and impacted 7.6 million current AT&T account holders and 65.4 million former account holders. That data compromised in that incident included personal information like full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, AT&T account numbers and passcodes.
The Form 8-K filing was under the SEC’s mandate from last year that publicly traded companies must report cyber incidents within four business days of determining that the incident is “material.” However, AT&T said that its filing fell under an exception to the SEC rule that allowed a 30-day wiggle room extension for companies if the disclosure of the cyber incident would impact national security or public safety.
“On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted,” according to AT&T’s filing. “AT&T is now timely filing this report. AT&T is working with law enforcement in its efforts to arrest those involved in the incident.”
Article Link: AT&T: Threat Actors Compromised Customer Phone, Text Records | Decipher