Pau Barrena/AFP/Getty Images
A visitor walks past an AT&T logo.
CNN
—
The call and text message records of tens of millions of AT&T mobile phone customers were exposed in a major data breach in mid- to late 2022, the telecom company announced Friday.
AT&T blamed a third-party cloud platform it learned of in April for an “illegal download,” just as the company was grappling with an unrelated major data breach.
AT&T said the compromised data included the phone numbers of “nearly all” of its mobile and wireless carrier customers who used its network between May 1, 2022, and Oct. 31, 2022.
Data from a “very small number” of customers on Jan. 2, 2023, was also affected, AT&T said. The content of the calls and text messages was not released, the company said.
At the end of 2022, AT&T had approximately 110 million mobile subscribers.
AT&T landline customers who communicated with those mobile numbers were also affected by the breach.
AT&T said no customer names were released in the incident. However, the company acknowledged that publicly available tools can often match names to specific phone numbers.
Additionally, AT&T said that for an undisclosed subset of its data, one or more cell site identification numbers tied to the calls and texts were also exposed. Such data could reveal the broad geographic location of one or more of the parties.
“At this time, we do not believe the data is publicly available,” AT&T said in a statement. “We sincerely regret that this incident occurred and remain committed to protecting the information entrusted to us.”
AT&T promised to notify current and former customers whose data was affected and provide them with tools to protect their data.
While the breach exposed phone and text message records, AT&T said the records did not include the content of the calls or text messages, nor did they contain any personal information such as Social Security numbers, dates of birth or other personal information.
Usage data such as the time of calls and text messages also remained intact.
AT&T said on April 19 it learned that a “threat actor claimed to have unlawfully accessed and made copies of AT&T call logs.” The company said it “immediately” hired experts and that a subsequent investigation revealed hackers who exfiltrated files between April 14 and April 25.
The company said the U.S. Department of Justice determined in May and June that a delay in the disclosure was warranted. It is not clear why the U.S. government requested a delay in the data release.
AT&T spokesman Alex Byers told CNN that this new incident is “in no way related” to an incident disclosed in March. At the time, AT&T said that personal information such as Social Security numbers of 73 million current and former customers was exposed on the dark web.
In the new incident, AT&T told CNN it learned in April that customer data had been illegally downloaded from workspace on Snowflake, a third-party cloud platform.
AT&T said it has launched an investigation, hired cybersecurity experts and taken steps to shut down the “illegal access point.”
The company says it is working with police to arrest those responsible and that at least one person has already been arrested.