AT&T announced on Saturday that it is investigating a 70 million customer data breach involving personal information on the dark web.
According to information about the breach on the company’s website, 7.6 million current account holders and 65.4 million former account holders have been impacted. An AT&T press release said the breach occurred about two weeks ago and has not yet had a “material impact” on its operations.
AT&T said the information included in the compromised data set varies from person to person. It could consist of social security numbers, full names, email and mailing addresses, phone numbers, dates of birth, AT&T account numbers, and passcodes.
So far, the company has not identified the source of the leak, at least publicly.
“Based on our preliminary analysis, the data set appears to be from 2019 or earlier,” the company said. “AT&T does not have evidence of unauthorized access to its systems, resulting in data set theft.”
The company said it is “reaching out to all 7.6 million impacted customers and has reset their passcodes” via email or letter. It plans to communicate with current and former account holders who have compromised sensitive personal information. It also plans to offer “complimentary identity theft and credit monitoring services” to those affected by the breach.
External cybersecurity experts have been brought in to help investigate, it added.
NPR contacted a few AT&T stores. In all cases, the sales representatives said they were unaware of the breach.
The telecommunications company’s website encouraged customers to monitor their account activity and credit reports closely.
“Consumers impacted should prioritize changing passwords, monitor other accounts, and consider freezing their credit with the three credit bureaus since social security numbers were exposed,” Carmen Balber, executive director of the consumer advocacy group Consumer Watchdog, told NPR.
An industry rife with data leaks
AT&T has experienced multiple data breaches over the years.
In March 2023, for instance, the company notified 9 million wireless customers that a third-party marketing vendor had breached their customer information.
In August 2021, in an incident AT&T said was not connected to the latest breach, a hacking group claimed it was selling data relating to more than 70 million AT&T customers. At the time, AT&T disputed the source of the data. It was re-leaked online earlier this month. According to a Mar. 22 TechCrunch article, a new analysis of the leaked dataset points to the AT&T customer data being authentic. “Some AT&T customers have confirmed their leaked customer data is accurate,” TechCrunch reported. “But AT&T still hasn’t said how its customers’ data spilled online.”
AT&T is by no means the only U.S. telecommunications provider with a history of compromised customer data. The issue is rife across the industry. A 2023 data breach affected 37 million T-Mobile customers. Just last month, a data leak at Verizon impacted more than 63,000 people, most of whom were Verizon employees.
A 2023 report from cyber intelligence firm Cyble said that U.S. telecommunications companies are a lucrative target for hackers. The study attributed the majority of recent data breaches to third-party vendors. “These third-party breaches can lead to larger-scale supply-chain attacks and a greater number of impacted users and entities globally,” the report said.
Government rules adapt
Meanwhile, last December, the Federal Communications Commission (FCC) updated its 16-year-old data breach notification rules to ensure that telecommunications providers adequately safeguard sensitive customer information. According to a press release, the rules aim to “hold phone companies accountable for protecting sensitive customer information while enabling customers to protect themselves if their data is compromised.”