The most recent data breach at telco AT&T is a violation of personal privacy and trust, according to cybersecurity experts. In April, AT&T learned that hackers had stolen the call logs of around 51 million customers.
The stolen data included files containing AT&T records of calls and texts of nearly all of its mobile customers, customers of mobile virtual network operators using AT&T’s wireless network, and AT&T’s landline customers who interacted with those mobile numbers across six months in mid-2022. The compromised data also included records from January 2, 2023, for a smaller subset of customers. The records identify the telephone numbers an AT&T or mobile virtual network customer with a mobile number interacted with during these periods.
“While the information that was exposed doesn’t directly have sensitive information, it can be used to piece together events and who may be calling who,” said Thomas Richards, Principal Security Consultant within the Synopsys Software Integrity Group. “This could impact people’s private lives as private calls and connections could be exposed. The business phone numbers will be easy to identify, and private numbers can be matched to names using public record searches.”
“AT&T’s latest announcement revealing another major data breach is a painful second blow to the millions of customers who have already lost trust after having their private information exposed by the company earlier this year,” said Keeper Security CEO Darren Guccione. “Although the leaked phone records do not contain the contents of calls and text messages, they do provide records of who customers interacted with, and some include identification numbers that could help bad actors determine where calls were made, and texts were sent.”
“The disclosure of this information, following the leak of Social Security numbers, names, email and mailing addresses, phone numbers, dates of birth, account numbers and passcodes, is a clear violation of personal privacy and trust. These massive breaches, affecting millions of customers, underscore the persistent and evolving threats to digital security and why everyone must take concrete, proactive steps to safeguard their sensitive information.”
The data from the latest breach does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. AT&T also says it does not include typical information you see in your usage details, such as the time stamp of calls or texts. However, the telco said that while the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.
“This breach is also a wakeup call for organisations to reevaluate their cybersecurity strategies, emphasising proactive measures over reactive responses,” added Guccione. “As cyber threats evolve, organisations must prioritise protecting customer data. Today, identity applications require both authentication and end-to-end encryption to provide robust cybersecurity protection. Cybersecurity technologies protecting these environments must cover every user, on every device, from every location.”
At the time of publication, AT&T said it doesn’t believe the data from the latest hack has become publicly available.
