AT&T says hackers accessed records of calls and texts for nearly all its cellular customers
AT&T on Friday disclosed that hackers had accessed records of calls and texts of "nearly all" its cellular customers for a six-month period between May 1, 2022 to Oct. 31, 2022.
In its statement, AT&T said the compromised data doesn't include the content of the calls or texts, or personal information such as Social Security numbers, birth dates or other personally identifiable information. The company said hackers downloaded the data "from our workspace on a third-party cloud platform."
The hack also includes records from Jan. 2, 2023 for a "very small number of customers," AT&T said.
The telecom giant said that it learned about the illegal download in April, and that it is working with law enforcement, noting that "at least one person has been apprehended." While the files don't include call or text content, AT&T said the data identifies telephone numbers that an AT&T number interacted with during the periods.
"At this time, we do not believe that the data is publicly available," AT&T said in the statement.
This data breach is separate from one disclosed earlier this year by AT&T, the company told CBS MoneyWatch in an email. In that case, hackers have stolen personal information for millions of current and former AT&T customers, with the fraudsters sharing the data on the dark web.
Even though the breach didn't include personally identifiable information, some security experts warned that any information could help hackers gain access to more data, opening the door to fraud.
"These types of identity-based attacks that exfiltrate customer records can allow attackers to piece together the personal data of individuals, including names, phone numbers, addresses and financial and Social Security details, placing millions of people at risk for identity theft or fraud," said Dan Schiappa, chief product and services officer at Arctic Wolf, a cybersecurity company.
Companies are required to disclose security breaches to customers within 30 days of becoming aware of an incident, according to U.S. securities regulations. But when AT&T reached out to the FBI about the breach, the agency authorized a delay because of concerns about security risks, the FBI told CBS News in a statement.
The FBI noted that after learned of the breach, it worked with AT&T as well as the Department of Justice to investigating the incident.
In a separate statement, the Justice Department said it determined that a delay in publicly disclosing the incident was warranted because it could "pose a substantial risk to national security and public safety." On Friday, the U.S. Federal Communications Commission also said it is investigating the breach.
AT&T data breach: Was I affected?
AT&T said it will alert customers who were impacted via text, email or U.S. mail. It also said people could log into their account, where they'll be able to see if their data was affected.
Customers "can also request a report that provides a more user-friendly version of technical information that was compromised," a spokesperson told CBS MoneyWatch.
AT&T said customers can visit att.com/DataIncident for more information.
Is AT&T providing identity theft protection?
No, AT&T said it's not providing additional protection services at this time.
However, it warned customers to be cautious about email or text requests that ask for personal, account or credit card information.
"For example, bad actors will often send emails that try to get you to click on links that contain malicious software (known as 'phishing')," the company said. "Another technique bad actors use involves sending text messages that attempt to get recipients to reveal important information like passwords or account information ('smishing')."
AT&T recommends that people only open texts or emails from people they know, and advises not to reply with personal information to any text or email from someone you don't know. It also recommends that customers go directly to a company's website rather than clicking on a link in a message or email, since scammers sometimes build fake websites that are designed to look like the real thing.
"In case of suspicious text activity, you may forward it to us so that we can act. Get step-by-step instructions to report unwanted text messages by following this link. Messages forwarded are free and will not count toward your text plan," the company said.