AT&T says hackers breached customer cellular calls and texting records

By J. Scott Trubey, Savannah Sicurella and Michael E. Kanell

AT&T on Friday announced that hackers obtained data on the calls and text messages of essentially all its customers over a period of several months, a significant breach of a major American telecommunications company.

The trove of data includes digital traces of voice and text communications — the cellular numbers that customers called or received calls from, numbers that AT&T customers had text exchanges with and the times in which such communications were made.

“It tells comprehensive stories about who people are, what they are doing, and what their secrets are,” Scott-Railton said.

Nearly all of AT&T’s wireless customers were impacted, the company said in a report filed Friday morning with the Securities and Exchange Commission. AT&T provides mobile and broadband service to more than 100 million U.S. consumers, according to its website.

While the stolen data does not include names, there are ways, using publicly available tools, to find the name associated with a specific telephone number.

The breach involved customer metadata from May 2022 to October 2022 as well as Jan. 2, 2023, the company said. Hackers obtained the information during a period in April this year from an AT&T device within a thirdparty cloud platform, the company said. In May and then again in June, the U.S. Justice Department determined a delay in providing public disclosure was warranted, according to the SEC filing.

Companies affected by cybersecurity incidents are permitted to delay publicly disclosing the incident if the U.S. attorney general determines that disclosure of the event would pose a “significant threat to public safety or national security,” according to the SEC. For example, the disclosure could risk revealing a confidential source or sensitive information.

AT&T does not believe that the data is publicly available, according to an SEC filing. The hacking of customer cellular metadata is the second significant data breach AT&T has discovered in four months. In March, AT&T announced it found a data set on the dark web revealing Social Security information and four-digit numerical pass codes from 2019 or earlier.

Full names, email addresses, mailing addresses, phone numbers, dates of birth and AT&T account numbers may have also been compromised in the breach AT&T announced in March. About 7.6 million current AT&T customers and 65.4 million former customers were impacted by that incursion.

Personal information such as Social Security numbers are very valuable to data thieves as they can be used to steal identities and commit financial fraud.

The intent behind this metadata breach is less clear, though the information obtained can be exploited in different ways.

Vic Hartman, a retired FBI special agent who runs The Hartman Firm, which helps businesses with cyber incidents and other complex internal investigations, said AT&T’s disclosure indicates that a “bad actor has the data under its control but has not taken steps to make it publicly available on the internet.”

Metadata, or call logs, are the types of information that law enforcement typically can obtain only via a subpoena in criminal matters.

Metadata can be a powerful tool for law enforcement to investigate the connections between individuals and entities. Investigators often subpoena such information from telecommunications providers to establish patterns of communications that can then be used as evidence to seek wiretaps or the contents of text messages.

Hartman said to make such metadata “meaningful, it requires software, analysts, time and expense to mine it for meaningful information.”

“The subscriber associated with a phone number can be identified,” he said.

“Software can connect the dots of relationships between individuals to see how often, how long, and how many texts occurred.” Hartman said he can see “potential harm, but this data is not usually sought to be exploited in this way.”

“The bad actor would have to find someone wanting the data, and from there the

scheme would get more complicated,” he said. “This could also have been the makings of a ransomware attack that had not yet fully matured.”

AT&T is working with law enforcement to find and arrest the hackers responsible for the breach. At least one person has been apprehended, according to AT&T.

“The fact that someone has been arrested could mean that person is now cooperating (and) it’s a matter of time before we find out the motivation behind this,” Hartman said.

Liz Coyle, the executive director of the consumer advocacy organization Georgia Watch, said she was affected by the data breach of AT&T of personal identity information earlier this year.

The breach announced Friday, though of a different form of information, Coyle said, “is yet another way we are assured our private lives really aren’t private.”

“When companies like AT&T, the credit bureaus or even doctors’ offices have access to our private information that we would not want to be public, they are frequently the target of these hackers because they can use our information to steal our identities and make us vulnerable to blackmail,” she said.

News of the breach prompted criticism across social media. In another post on X, Railton said megabreaches will continue unless “big telecos face massive financial penalties” for them.

“If the market won’t punish telcos for being reckless with our data, regulators and the FCC must,” Railton wrote.

AT&T said it will notify its current and former customers affected by this breach.

“AT&T has taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access,” AT&T said in the SEC filing.