AT&T, one of the largest telecommunications providers in the United States, announced on Saturday that it is investigating a data breach involving the personal information of more than 70 million current and former customers. The compromised data, which was leaked on the dark web, includes sensitive information such as social security numbers, full names, email and mailing addresses, phone numbers, and dates of birth, as well as AT&T account numbers and passcodes.
According to the company's website, the breach has impacted 7.6 million current account holders and 65.4 million former account holders. AT&T stated in a press release that the incident occurred approximately two weeks ago and has not yet had a "material impact" on its operations.
While the source of the leak has not been publicly identified, AT&T's preliminary analysis suggests that the compromised data set appears to be from 2019 or earlier. The company has not yet found evidence of unauthorized access to its systems resulting in the theft of the data set.
In response to the breach, AT&T is reaching out to all 7.6 million impacted customers and has automatically reset their passcodes. The company plans to communicate with both current and former account holders whose sensitive personal information has been compromised, offering complimentary identity theft and credit monitoring services to those affected.
External cybersecurity experts have been brought in to assist with the investigation, and AT&T has encouraged customers to closely monitor their account activity and credit reports. Carmen Balber, executive director of the consumer advocacy group Consumer Watchdog, advised affected consumers to prioritize changing passwords, monitor other accounts, and consider freezing their credit with the three credit bureaus, given that social security numbers were exposed.
This latest data breach is not an isolated incident for AT&T or the telecommunications industry as a whole. In March 2023, AT&T notified 9 million wireless customers that their information had been accessed in a breach of a third-party marketing vendor. In August 2021, a hacking group claimed to be selling data related to more than 70 million AT&T customers, though the company disputed the source of the data at the time.
Other major telecommunications providers, such as T-Mobile and Verizon, have also experienced significant data breaches in recent years. A 2023 report from cyber intelligence firm Cyble attributed the majority of these breaches to third-party vendors, highlighting the potential for larger-scale supply-chain attacks and a greater number of impacted users globally.
In response to the growing threat of data breaches, the Federal Communications Commission (FCC) updated its data breach notification rules in December 2022. These changes aim to hold phone companies accountable for protecting sensitive customer information and enable customers to protect themselves in the event of a compromise.
FCC Chairwoman Jessica Rosenworcel emphasized the need for updated policies, stating, "What makes no sense is leaving our policies stuck in the analog era. Our phones now know so much about where we go and who we are, we need rules on the books that make sure carriers keep our information safe and cybersecure."
As the investigation into the AT&T data breach continues, customers are advised to remain vigilant and take proactive steps to safeguard their personal information. The incident serves as a stark reminder of the ongoing challenges faced by telecommunications providers and the importance of robust cybersecurity measures in an increasingly digital world.
