Pau Ballena/AFP/Getty Images
A visitor walks past the AT&T logo.
CNN
—
AT&T said Friday that call and text message records from tens of millions of its mobile phone customers and many non-AT&T customers from mid- to late 2022 were exposed in a massive data breach.
AT&T said the hacked data did not include call or text message content, and the leaked data does not appear to be publicly available at this time.
AT&T is under fire The company learned of the “illegal downloads” on a third-party cloud platform in April. Unrelated massive data leak.
AT&T said the compromised data included phone numbers for “nearly all” mobile customers and wireless provider customers who used its network between May 1, 2022 and Oct. 31, 2022. The stolen logs also included records of every number that AT&T customers, including customers of other wireless networks, called or texted, the number of interactions and the duration of calls.
AT&T said the investigation also involved a “very small number” of customer records from Jan. 2, 2023. The company said the contents of calls and text messages were not being made public.
AT&T lists about 110 million wireless subscribers as of the end of 2022. AT&T said no international calls were included in the stolen data, except for calls to Canada.
The breach also included AT&T landline customers who communicated through those mobile numbers.
AT&T said no customers’ names were released in this case, but the company acknowledged that publicly available tools often link names to specific phone numbers.
Additionally, AT&T said that for a non-disclosed subset of the records, it also released one or more base station identification numbers linked to the calls and texts. Such data could reveal the broad geographic location of one or more of the parties.
“At this time, we do not believe any data was exposed,” AT&T said in a statement. “We sincerely regret that this incident occurred and remain committed to protecting the information in our control.”
AT&T has promised to notify current and former customers whose information concerns it and provide them with resources to protect their information.
The breach exposed call and text message records, but AT&T said it did not include the content of any calls or text messages, nor did it contain any personal information such as Social Security numbers, dates of birth or other personally identifiable information.
Usage details like talk time and text messages were also not leaked.
AT&T said it learned “that a threat actor allegedly illegally accessed and copied AT&T call logs” on April 19. The company said it “immediately” hired experts and that a subsequent investigation identified the hackers, who exfiltrated the files between April 14 and April 25.
The company said the Department of Justice determined in May and June that a delay in the release was justified. It is unclear why the government requested a delay in the release of the data. CNN has reached out to the Department of Justice for comment.
AT&T shares fell 2% in premarket trading following the news.
AT&T spokesperson Alex Byers told CNN that the latest incident “has nothing to do with” the incident disclosed in March, when AT&T said personal information, including Social Security numbers, of 73 million current and former customers had been exposed on the dark web.
In the new incident, AT&T told CNN that it learned in April that customer data had been illegally downloaded from a workspace on Snowflake, a third-party cloud platform.
Snowflake’s chief information security officer, Brad Jones, told CNN in a separate statement that the company had found no evidence that the activity was “caused by a vulnerability, misconfiguration, or compromise of the Snowflake platform.” Jones said this was confirmed by an investigation by third-party cybersecurity experts from Mandiant and CrowdStroke.
AT&T said it had launched an investigation, hired cybersecurity experts and taken steps to shut down “illegal access points.”
The company said it was cooperating with police efforts to catch the perpetrators and was aware that at least one arrest had already been made.
This story has been updated to reflect additional background and developments.
