AT&T has warned that a breach compromised data for “nearly all” of its cellular customers over certain periods.
The breach, which AT&T discovered in April, included call and text records between May 1st and October 31st of 2022. It also affected a “very small number” of customers on January 2nd, 2023. The incident also affected carriers that use AT&T’s network, such as Boost Mobile and Cricket, as well as landline callers who talked to cellphone owners.
AT&T reiterated that the data breach didn’t include the content of the calls and texts themselves, or any personally identifiable information. However, the provider noted that there were ways to associate names with phone numbers, and that some of the records included cell site numbers that could help pinpoint locations.
The company hasn’t identified the attacker so far, but believes the information hasn’t been made public. The perpetrator downloaded the material through the AT&T workspace on an unnamed “third-party cloud platform.” The carrier has moved to close the vulnerability and has tapped law enforcement for help, with at least one person arrested.
The Federal Communications Commission is also investigating the AT&T data breach and working with law enforcement.
A data leak like this is potentially very dangerous. While it doesn’t include call or message content, hostile countries, stalkers and other spies could piece together identities and activities using the metadata. They might know who a politician is talking to or where that official lives, for example.
The National Security Agency was criticized in 2013 after whistleblower Edward Snowden revealed the organization’s use of similar bulk data to surveil contact between foreigners and Americans. With AT&T’s stolen info, though, anyone with the right tools could perform similar snooping, albeit only for a limited period from two years ago.