US Markets
Friday, July 12th, 2024 2:31 pm EDT
Key Points
- Hackers accessed and copied six months’ worth of call and text message records of nearly every AT&T cellular network customer, affecting approximately 127 million devices, according to an SEC filing.
- The breach involved call logs stored on a third-party cloud platform, including phone numbers but not the content of calls or personal information, posing significant privacy and national security risks due to the sensitivity of metadata.
- AT&T has implemented additional cybersecurity measures and is cooperating with law enforcement, with at least one person apprehended; the company assured that, as of now, the stolen data is not publicly available and the breach will not impact its financial results.
AT&T disclosed a significant data breach affecting nearly all its cellular network customers, spanning six months of call and text message records. The breach, which AT&T revealed in an SEC filing, occurred when hackers accessed and copied call logs stored on a third-party cloud platform. The compromised data includes records from May 1 to October 31, 2022, and January 2, 2023, though the content of the calls and messages and personal customer information were not accessed. Despite this, the breach included phone numbers, which can be highly sensitive metadata. Metadata, when analyzed at large scales, can reveal patterns and connections, potentially posing national security threats.
AT&T’s wireless network connects 127 million devices, underscoring the scale of the breach. The company acknowledged that while the data does not contain customer names, phone numbers can often be traced to individuals using publicly available tools. Experts like John Scott-Railton from the University of Toronto’s Citizen Lab and Thomas Rid from Johns Hopkins University highlighted the severity of the breach, likening it to the NSA’s bulk metadata collection exposed by Edward Snowden. Rid emphasized that metadata can uncover intimate details about individuals’ daily routines and locations.
In response to the breach, AT&T has implemented additional cybersecurity measures and closed the point of unlawful access. The company assured customers that affected individuals would be contacted and that, as of Friday, the stolen data is not believed to be publicly available. The U.S. Justice Department mandated the public announcement of the breach in May and June, albeit after an unspecified delay. AT&T is cooperating with law enforcement, and at least one person has been apprehended in connection with the hack.
The breach, while not expected to impact AT&T’s operations or financial results, raises significant concerns about customer security. Previous breaches, such as one in March involving customer names and Social Security numbers, exacerbate the potential threat, as attackers could map phone numbers to individuals using previously compromised data. Cybersecurity expert Jake Williams noted that the combination of past and present breaches increases the risk to AT&T customers.
Senator Ron Wyden criticized the telecommunications industry’s lax legal environment and called for stricter accountability. He argued that inadequate cybersecurity measures by phone companies lead to recurring data breaches, which will persist until regulatory bodies like the FCC impose substantial fines. Wyden’s statement underscores the need for more stringent enforcement to ensure companies prioritize customer security and mitigate the risk of future breaches.
For the full original article on CNBC, please click here: https://www.cnbc.com/2024/07/12/att-says-hackers-stole-records-of-nearly-all-cell-customers-calls-and-texts.html