Telecom giant AT&T revealed a massive data breach on Saturday that compromised sensitive information from nearly 73 million current and former customer accounts – a staggering disclosure that highlights the persistent cybersecurity vulnerabilities facing major corporations.

In a brief press release, the company acknowledged that certain data fields specific to AT&T containing customer records were leaked to the dark web approximately two weeks ago. The source and full scope of the breach were not specified.

Based on its preliminary analysis, the exposed information appears to be from 2019 or earlier and impacts a combined 7.6 million existing AT&T customer accounts along with 65.4 million accounts belonging to former subscribers.

The data set contains a trove of personal details including:

  • Full names.
  • Email and home addresses.
  • Phone numbers.
  • Dates of birth.
  • Social Security Numbers (SSNs).
  • AT&T account information and passcodes.

Also read: 50+ Phishing Statistics For 2023

AT&T stressed that the compromised data does not contain any individual financial details like credit card numbers or customer call histories and transcripts. However, the information that was leaked, particularly Social Security numbers, could likely easily be used by bad actors to steal the identities of victims. The company also said that it did not find any evidence that its internal systems were directly breached in the incident.

Was Your Data Compromised? How to Protect Yourself Online

There are a few basic rules set by cybersecurity experts to help you keep your online accounts safe and one of the most important is using two-factor or multi-factor authentication. Instead of logging in with just a username and password, you add an additional layer of security with an authenticator app or a SMS-based 2FA system.

Two-factor authentication can make your accounts exponentially more secure, especially when avoiding SMS-based 2FA.

AT&T Urges Customers to Stay Vigilant

The sheer scale of the personal data that is now in circulation on underground cybercrime forums represents a massive security and privacy threat for those impacted. AT&T has begun notifying all 7.6 million current subscribers whose accounts were exposed and is resetting their account passcodes as a precautionary measure.

“We encourage customers to remain vigilant by monitoring account activity and credit reports”, the company stated. It also added that it is preparing to offer complimentary credit monitoring and identity protection services to those whose Social Security Numbers (SSNs) were compromised.

The main risk here seems to be identity theft. Bad actors could take your information, use it to sign up for loans or credit cards, and steal as much of that credit as possible, leaving you in the lurch.

Cybersecurity experts are urging impacted individuals to immediately consider credit freezes to prevent illicit accounts from being opened in their names. They also caution that bad actors could use the leaked information for targeted phishing campaigns, system access attempts, financial fraud, or even to catalyze future network intrusions.

“Consumers impacted should prioritize changing passwords, monitor other accounts, and consider freezing their credit with the three credit bureaus since social security numbers were exposed,” Carmen Balber, executive director of the non-profit Consumer Watchdog, told journalists from NPR.

Big Telcos Are Being Increasingly Targeted by Cyber Criminals

The breach announcement highlights the persistent cybersecurity challenges facing AT&T and other major telecommunications providers that maintain troves of highly sensitive customer data for their regular operations. Despite considerable investments in defensive safeguards, security lapses have continued to plague the industry in recent years.

In March last year, AT&T told 9 million customers that their records were accessed in an incident involving a third-party marketing vendor. The previous year, T-Mobile was forced to pay $350 million to settle claims after the records of over 50 million current and former subscribers were leaked.

Meanwhile, just last month, Verizon Communications suffered a breach that impacted more than 63,000 individuals, the majority of whom were company employees.

“These third-party breaches can lead to a larger scale supply-chain attacks and a greater number of impacted users and entities globally”, warned a 2023 report from cybersecurity firm Cyble on the telecom sector’s woes.

Also read: 88% of Data Breaches Are Due to Human Error

ftc chairwoman jessica rosenworcel addresses at&t breach 2

The Federal Communications Commission (FTC) also recently updated its data breach notification rules over concerns that existing requirements did not go far enough to protect consumer privacy and hold providers accountable.

“Our phones now know so much about where we go and who we are, we need rules on the books that make sure carriers keep our information safe and cybersecure.”, FCC Chairwoman Jessica Rosenworcel stated when the revised guidelines were announced in December.

While the culprit and attack vector behind AT&T’s latest incident remains unknown, some cybersecurity experts believe it could be a continuation or reprisal of a previous incident from 2021 where a hacker claimed it stole the data from 70 million subscribers.

Back then, the company downplayed those claims, stating that it had no evidence that its systems were breached despite the evidence provided by the criminals that the data records were authentic.

The similarities between the events, AT&T’s prolonged silence to confirm the breach, and the potential legal liability resulting from not notifying those who were impacted promptly could open the door to class-action lawsuits against the company, warned cybersecurity expert Troy Hunt.

“If they assess this and they made the wrong call on it, and we’ve had a course of years pass without them being able to notify impacted customers, then it’s likely the company will soon face class action lawsuits”, Hunt told The Associated Press.

In its latest breach notification, AT&T stated that its investigation into the data leak, led by internal teams and third-party cybersecurity firms, is still ongoing to determine the source and full impact.

Damage Control Efforts Underway

The company added that the incident has not materially impacted its operations so far. However, it will undoubtedly add to the Dallas-based telecom’s security costs while renewing concerns over its data handling practices.

For now, the company has set up a dedicated information page at att.com/accountsafety for impacted customers. It is directly contacting those whose sensitive data like Social Security numbers were compromised and is providing the option to enroll in credit monitoring and identity theft protection services.

Also read: The Ultimate Password Manager: 1Password vs Lastpass vs Keepass vs Roboform

By some estimates, full personal profiles with Social Security numbers can be sold for up to $50 per record in these illicit markets that cater to financial fraud rings, corporate espionage efforts, and hostile nation-state hacking groups.

As the cybersecurity fallout continues to expand, AT&T will come under intense scrutiny for how it responds and prevents similar incidents from occurring once again with both customers and regulators already becoming dubious about the industry’s data protection practices.

“AT&T takes cybersecurity very seriously and privacy is a fundamental commitment at AT&T”, the company insisted in the aftermath of the breach. However, restoring its customers’ confidence after allowing the leakage of over 73 million customer records to shadowy underground actors may be a tough challenge.