Another day, another data breach.
On July 12th, AT&T filed a form 8-K to the United States Securities and Exchange Commission (SEC). These are required reports companies use to announce major events that shareholders likely have an interest in. In this form, AT&T discloses a cybersecurity incident had occurred exposing information of ‘nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s network‘.
An MVNO is a smaller carrier that pays for the right for their customers to use AT&T’s network. Customers for these carriers are also affected by this breach. The list is rather extensive, including carriers like Boost Infinite, Consumer Cellular, Cricket, and H20.
The affected data does not include contents of calls of texts, personal information such as social security numbers, dates of birth, or other personally identifiable information. No material impact on operations or financial condition is expected as a result of the breach according to AT&T. However, there are a number of publicly available online tools available to discern potentially personal information associated with telephone numbers.
The unlawful access was discovered by AT&T on April 19th, 2024, recognizing a claim a threat actor unlawfully accessed and copied AT&T call logs. This individual accessed an AT&T workspace on a third-party cloud platform between April 14th and April 25th, 2024 and stole customer call and text interactions. The data taken was from around May 1st and October 31st, 2022, and January 2, 2023.
The FCC has also responded to the breach on X.
Details On The Breach
The data accessed includes telephone numbers a subscriber interacted with, including AT&T wireline customers or customers from other carriers. Counts of those interactions, call duration, and even cell site identification numbers in some records were also reported as accessed. Being able to identify a cell site can also reveal the general area a customer is when they are using their device.
CNN also reports usage data like the time of a phone call or text message were not included.
AT&T claims they have closed off the point of unlawful access, among other additional cybersecurity measures. Also, upon knowing of the breach, they immediately activated their incident response process.
The U.S. Department of Justice determined delays in public disclosure were warranted on May 9th and again on June 5th 2024, leading to today. The wireless carrier says that at least one person is apprehended, and does not believe the data is publicly available. This is unverified beyond AT&T’s claim.
The filing AT&T submitted is also viewable on the SEC website.
With carriers having access to an incredible amount of sensitive customer data, the question of accountability returns again and again. This is not the first breach AT&T has been involved with this year, and T-Mobile couldn’t even secure its own employee data. So, at what point will the FCC incur more punitive measures against these breaches? What do you think would be punishment enough? Let us know in the comments below.
