Hackers stole six months’ worth of call and text message records of nearly every AT&T cellular network customer, the company said Friday, a breach that has the potential to reveal sensitive information about millions of Americans.
The company said in an SEC filing that it learned from an internal investigation that in April, hackers “unlawfully accessed and copied AT&T call logs” that were saved on a third-party cloud platform.
The data contains records of calls and texts between approximately May 1 and Oct. 31, 2022, and on Jan. 2, 2023.
The content of the calls and messages was not compromised and customers’ personal information was not accessed — but the records did include phone numbers. Such information is often called metadata, which is information about communications, and considered highly sensitive especially when collected and analyzed at large scales to reveal patterns and connections between people.
AT&T’s wireless network has 127 million devices connected to it, according to the company’s 2023 annual report.
“While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” the company said in its SEC filing.
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which focuses on communications technology and security, called the hack a “megabreach,” emphasizing that metadata stolen at this scale has the potential to be a major national security threat as well as a problem for businesses and individuals.
“These are incredibly sensitive pieces of personal information and, when taken together at the scale of information that appears to be included in this AT&T breach, they present a massive NSA-like window into Americans’ activity,” he said, nodding to the leaks by Edward Snowden that exposed the National Security Agency’s bulk collection of metadata.
AT&T said it has “taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access.” Customers affected by the hack will be contacted, it said.
The company said the U.S. Justice Department ruled that it should publicly announce details of the hack — on May 8 and June 5 — but only after an unspecified delay.
AT&T added that it is assisting law enforcement officers in efforts to arrest the hackers.
“Based on information available to AT&T, it understands that at least one person has been apprehended,” the company said, without providing further details.
The company sought to assure customers that, at least as of Friday, “AT&T does not believe that the data is publicly available.”
The filing also said the hack would not impact its operations or negatively affect its financial results.
This article was originally published on NBCNews.com.
