If you’re an AT&T customer, you have a brand new reason to hate your cellular provider. In a turn of events that is somehow both entirely predictable and totally pathetic, the second-largest wireless carrier in the U.S. has announced that hackers recently stole call and text records belonging to “nearly all” of its customers.
“In April, AT&T learned that customer data was illegally downloaded from our workspace on a third-party cloud platform,” the company said Friday in a Securities and Exchange Commission disclosure. “We launched an investigation and engaged leading cybersecurity experts to understand the nature and scope of the criminal activity. We took steps to close off the illegal access point.”
Between April 14 and April 25, 2024, the hacker exfiltrated files “containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023,” AT&T says. Thankfully, the records that were stolen did not have identifying data points. According to the company, “personal information such as Social Security numbers, dates of birth, or other personally identifiable information” were not stolen. Nor were the contents of the texts and calls.
Instead, the information that was taken reveals the phone numbers that a particular user called (or was called by) during the given period, as well as the frequency with which those interactions occurred. The records identify the numbers “with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month,” the disclosure reads.
In other words, the hackers seem to have stolen wholly anonymized data. However, such data need not necessarily stay anonymous for long. This is something that AT&T readily admits to in its disclosure: “While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” the company sheepishly admits.
Once a hacker has de-anonymized your number and knows who you are, they could hypothetically do it with the numbers you’ve interacted with, allowing them to understand the network of people you surround yourself with and your relationships with them. In other words, what AT&T has admitted without openly saying is that this breach is fucking terrible.
On the dark web, this sort of data is traded and can be compiled with other breach information to create fairly comprehensive dossiers on particular people. According to AT&T, however, the company says it “does not believe that the data is publicly available,” which is a decidedly vague way to phrase it.
“AT&T is working with law enforcement in its efforts to arrest those involved in the incident. Based on information available to AT&T, it understands that at least one person has been apprehended,” the company discloses in its filing.
Disclosure of the breach was delayed somewhat by the Justice Department, AT&T claims. “On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that…a delay in providing public disclosure was warranted,” the company’s disclosure reads.
The timing of the hacking incident is weird, given that, in April, AT&T also disclosed a large, separate data breach that impacted as many as 73 million customers. Most of those customers were former customers, but some—in fact, 7.6 million—were current ones. That data breach did include personally identifiable information, including Social Security numbers, email addresses, phone numbers, dates of birth, AT&T account numbers, and AT&T passcodes.
According to AT&T’s own timeline, the company disclosed a massive terrible data breach in April and then, like a week later, suffered another massive terrible data breach. If there’s any clear and present evidence that you should switch to Verizon (or maybe just toss your cell phone out a third-story window), this has to be it.
Gizmodo reached out to AT&T for more information on this colossal misstep and will update this story if it responds.