AT&T revealed Friday morning that a cybersecurity attack had exposed call records and texts from “nearly all” of the carrier’s cellular customers (including people on mobile virtual network operators, or MVNOs, that use AT&T’s network, like Cricket, Boost Mobile, and Consumer Cellular). The breach took place during the period between May 1st, 2022, and October 31st, 2022, in addition to an incident that impacted a “very small number” of customers on January 2nd, 2023.
AT&T spokesperson Alex Byers confirmed to The Verge the threat actor accessed the information through the company’s account on a third-party cloud platform, Snowflake, similar to data breaches that have affected Ticketmaster and Santander Bank. AT&T first learned of the breach in April, but as reported by TechCrunch, an FBI spokesperson confirmed “AT&T, the FBI and the Department of Justice agreed to delay notifying the public and customers on two occasions, citing ‘potential risks to national security and/or public safety.’”
The stolen data includes which phone numbers customers interacted with, and Byers tells The Verge that the breach also includes “counts of those calls/texts and total call durations for specific days or months.”
The downloaded data doesn’t include the content of any calls or texts. It doesn’t have the time stamps for the calls or texts. It also doesn’t have any details such as Social Security numbers, dates of birth, or other personally identifiable information.
While the data doesn’t include customer names, there are often ways to find a name associated with a phone number using publicly available online tools.
In a blog post, AT&T said “we do not believe that the data is publicly available” and that it has “taken steps to close off the illegal access point.” The company is working with law enforcement to “arrest those involved” and says one person has already been apprehended.
“We will provide notice to current and former customers whose information was involved along with resources to help protect their information,” AT&T writes. “We sincerely regret this incident occurred and remain committed to protecting the information in our care.”