Richard Drew/AP
AT&T announced Saturday that it is investigating a data breach involving the personal information of more than 70 million current and former customers leaked on the dark web.
According to breach information on the company's website, 7.6 million current account holders and 65.4 million former account holders were affected. AT&T said in a press release that the breach occurred about two weeks ago and that the incident has not yet had a “material impact” on the company's operations.
AT&T said the information contained in the compromised data set varies from person to person. This may include your social security number, name, email and postal address, phone number, date of birth, AT&T account number and password.
The company has so far not revealed the cause of the leak, at least publicly.
“Preliminary analysis indicates that the data set dates back to before 2019,” the company said. “AT&T currently has no evidence that data sets were stolen as a result of unauthorized access to our systems.”
The company said via email or letter that it had “contacted all 7.6 million affected customers to reset their passwords” and that it planned to contact all current and former account holders whose sensitive personal information was compromised. The company said it plans to provide “free identity theft and credit monitoring services” to those affected by the breach.
An external cybersecurity expert was brought in to assist with the investigation, he added.
NPR reached out to several AT&T stores. In all cases, sales representatives said they were not yet aware of the breach.
On its website, the telecom company encouraged customers to closely monitor their account activity and credit reports.
Carmen Balber, executive director of Consumer Watchdog, a consumer advocacy group, told NPR: “Affected consumers should prioritize changing their passwords, monitoring other accounts, and reporting to the three credit bureaus because their Social Security numbers were exposed. A credit freeze should be considered,” he said.
An industry rife with data leaks
AT&T has experienced several data breaches over the years.
For example, in March 2023, the company notified 9 million wireless customers that a third-party marketing vendor breach had accessed customer information.
August 2021 — in an incident that AT&T said was not related to the recent breach — hacking. The group claimed it was selling data related to more than 70 million AT&T customers. at that time, AT&T disputed the source of the data. It was re-leaked online earlier this month. According to a March 22 TechCrunch article, a new analysis of the leaked data set indicates that the AT&T customer data is real. “Some AT&T customers confirmed that the leaked customer data was accurate,” TechCrunch reported. “However, AT&T has not yet disclosed how its customers’ data was leaked online.”
AT&T is by no means the only U.S. telecommunications provider with a history of customer data compromise. This problem is widespread throughout the industry. The 2023 data breach affected 37 million T-Mobile customers. Last month's Verizon data breach affected more than 63,000 people, many of whom were Verizon employees.
U.S. telecommunications companies are lucrative targets for hackers, according to a 2023 report from cyber intelligence firm Cyble. The study found that the majority of recent data breaches were caused by third-party vendors. “These third-party breaches could lead to larger supply chain attacks, potentially impacting a larger number of users and businesses globally,” the report said.
Adapt to government rules
Meanwhile, last December, the Federal Communications Commission (FCC) updated its 16-year-old data breach notification rules to ensure that telecommunications providers adequately protect sensitive customer information. According to a press release, the goal of the rule is to “hold phone companies accountable for protecting sensitive customer information and ensure customers can protect themselves if their data is compromised.”
“It makes no sense to lock our policies into the analog era,” FCC Chairman Jessica Rosenworsell said in a statement about the change. “Now that our phones know so much about where we go and who we are, we need rules to ensure carriers keep our information safe and cybersecurity.”