AT&T Contacts Authorities Following Customer Data Breach

AT&T has begun notifying U.S. state authorities and regulators of a security incident after confirming that millions of customer records posted online last month were authentic. According to AT&T the records contained valid data on more than 7.9 million current AT&T customers. AT&T took action some three years after a subset of the leaked data first appeared online, which prevented any meaningful analysis of the data. The full cache of 73 million leaked customer records was dumped online last month, allowing customers to verify that their data was genuine. AT&T eventually acknowledged that the leaked data belongs to its customers, including about 65 million former customers.

According to recent reports, AT&T, the largest telco in the United States, has been facing a major security incident. After confirming the authenticity of millions of customer records posted online last month, the company has begun notifying state authorities and regulators.

In its legally required filing with Maine’s attorney general’s office, AT&T disclosed that more than 51 million people have been affected by the data breach. Out of these, around 90,000 individuals reside in Maine. The compromised personal information includes customers’ full names, email addresses, mailing addresses, date of birth, phone numbers, and Social Security numbers.

The leaked data dates back to mid-2019 and earlier and AT&T has reported that it contains valid information on over 7.9 million current customers. Interestingly, the company took action after a subset of the leaked data had already appeared online three years ago, leaving little scope for analysis. However, it was not until last month when the complete cache of 73 million customer records was dumped online that customers were able to verify the authenticity of their data. It is worth noting that some of the records were found to be duplicates. Along with this personal information, the leaked data also included encrypted account passcodes that provide access to customer accounts.

Soon after the full dataset was published, a security researcher informed TechCrunch that the encrypted passcodes could be easily deciphered. This raised a major concern for TechCrunch, who then alerted AT&T on March 26 about the potential risk to customers. As a result, AT&T took immediate action and reset all affected passcodes. They also requested TechCrunch to withhold any story until the passcodes could be reset.

Following this data breach, an estimated 65 million former AT&T customers have also been affected. Companies that experience data breaches of such magnitude are obligated to inform U.S. attorneys general under state data breach notification laws. In its notice filed in Maine, AT&T has stated that it is offering affected customers identity theft and credit monitoring services.

Despite these measures, the source of the data leak has not yet been identified by AT&T. The incident serves as a reminder of the growing threat posed by cyber attacks and the need for companies to adopt stronger security measures to protect their customers’ personal information.