Hackers stole six months’ worth of call and text message records of nearly every AT&T cellular network customer, the company said Friday, a breach that has the potential to reveal sensitive information about millions of Americans.
The company said in an SEC filing that it learned from an internal investigation that in April, hackers “unlawfully accessed and copied AT&T call logs” that were saved on a third-party cloud platform.
The data contains records of calls and texts between approximately May 1 and Oct. 31, 2022, and on Jan. 2, 2023.
The content of the calls and messages was not compromised and customers’ personal information was not accessed — but the records did include phone numbers. Such information is often called metadata, which is information about communications, and considered highly sensitive especially when collected and analyzed at large scales to reveal patterns and connections between people.
AT&T’s wireless network has 127 million devices connected to it, according to the company’s 2023 annual report.
“While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” the company said in its SEC filing.
The Justice Department and the FBI each said it is working with AT&T to investigate the hack. The FCC also said it had launched an investigation into the breach.
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which focuses on communications technology and security, called the hack at “megabreach,” emphasizing that metadata stolen at this scale has the potential to be a major national security threat as well as a problem for businesses and individuals.
“These are incredibly sensitive pieces of personal information and, when taken together at the scale of information that appears to be included in this AT&T breach, they presetent a massive NSA-like window into Americans’ activity,” he said, nodding to the leaks by Edward Snowden that exposed the National Security Agency’s bulk collection of metadata.
Thomas Rid, a professor of strategic studies and the director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University, said metadata can reveal intimate details about people, though he cautioned that more needs to be learned about what hackers took from AT&T before a full picture of the threat will be clear.
“If you have somebody’s metadata, you know when they go to work, where they go to work, where they sleep every night,” he said.
AT&T said it has “taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access.” Customers affected by the hack will be contacted, it said.
The company said the U.S. Justice Department ruled that it should publicly announce details of the hack — on May 8 and June 5 — but only after an unspecified delay.
AT&T added that it is assisting law enforcement officers in efforts to arrest the hackers.
“Based on information available to AT&T, it understands that at least one person has been apprehended,” the company said, without providing further details.
The company sought to assure customers that, at least as of Friday, “AT&T does not believe that the data is publicly available.”
The filing also said the hack would not impact its operations or negatively affect its financial results.
Metadata on its own does not include the actual name of a person, though such information can be easy to find online.
But the hack announced Friday could pose an even greater threat to AT&T users because of a previous security issue. Some AT&T customer names were previously released in a breach announced in March, according to Jake Williams, vice president of research and development at Hunter Strategy, an IT consultancy. That incident also included Social Security numbers.
“AT&T data previously compromised and released will help threat actors map a large percentage of the phone numbers in these customer records to the actual victims impacted,” Williams said in an email to NBC News.
Sen. Ron Wyden, D-Ore., said in a statement that the breach was indicative of the lax legal environment in which telecommunications companies operate.
“This is not the first data breach revealed by a major phone company and it won’t be the last,” he said. “These hacks, which are almost always the result of inadequate cybersecurity, won’t end until the FCC starts holding the carriers accountable for their negligence. These companies will keep shortchanging customer security until it hits them in the wallet with billion dollar fines.”
— This is a developing story. Please check back for updates.
— Rob Wile and Brian Cheung contributed.