AT&T data breach leaks 7.6 million customers' information to the dark web: NPR

AT&T store in New York. A data breach left information associated with 7.6 million existing customers compromised, the telecom company said on Saturday.

Richard Drew/AP

Hide caption

Toggle caption

Richard Drew/AP

AT&T store in New York. A data breach left information associated with 7.6 million existing customers compromised, the telecom company said on Saturday.

Richard Drew/AP

AT&T announced Saturday that it is investigating a data breach that involved personal information for more than 70 million current and former customers that was leaked on the dark web.

according to Information about the violation On the company's website, 7.6 million current account holders and 65.4 million previous account holders were affected. AT&T press release It said the hack occurred about two weeks ago, and that the incident had not yet had a “material impact” on its operations.

AT&T said the information included in the compromised data set varies from person to person. It can include Social Security numbers, full names, mail and mail addresses, phone numbers, dates of birth, as well as AT&T account numbers and passcodes.

The company has not yet identified the source of the leak, at least publicly.

“Based on our preliminary analysis, the data set appears to date back to 2019 or earlier,” the company said. “At this time, AT&T has no evidence of unauthorized access to its systems resulting in the theft of the data set.”

The company said it is “reaching out to all 7.6 million affected customers and resetting their passcodes,” via email or message, and that it plans to reach out to current and former account holders who have sensitive personal information at risk. It said it plans to offer “free identity theft and credit monitoring services” to those affected by the hack.

She added that external experts in the field of cybersecurity were hired to assist in the investigation.

NPR reached out to a few AT&T stores. In all cases, sales representatives said they were not yet aware of the violation.

The telecommunications company encouraged customers on its website to closely monitor their account activity and credit reports.

“Affected consumers should prioritize changing passwords and monitoring other accounts and consider freezing their credit with the three credit bureaus since their Social Security numbers were disclosed,” Carmen Balber, executive director of the advocacy group Consumer Watchdog, told NPR.

An industry full of data leaks

AT&T has witnessed Multiple data breaches Over the years.

In March 2023, for example, the company informed 9 million wireless customers that their customer information had been accessed through a breach by a third-party marketing vendor.

In August 2021 — in an incident that AT&T said was not related to the recent hack — a hacking occurred The group claimed it was selling data related to more than 70 million AT&T customers. on time, AT&T disputed the source of the data. It was re-leaked online earlier this month. According to March 22 TechCrunch article, a new analysis of the leaked data set indicates that AT&T customer data is correct. “Some AT&T customers have confirmed that their leaked customer data is accurate,” TechCrunch reported. “But AT&T has not yet said how its customers’ data was leaked online.”

AT&T is by no means the only US telecommunications provider with a history of compromised customer data. This issue is widespread throughout the industry. A data breach in 2023 affected 37 million T-Mobile customers. Just last month, a data leak at Verizon affected more than 63,000 people, most of whom were Verizon employees.

a 2023 report Cyber ​​intelligence company Cybell said that US telecommunications companies are a lucrative target for hackers. The study attributed the majority of recent data breaches to third-party vendors. “These third-party breaches could lead to widespread attacks on the supply chain and a greater number of users and entities affected globally,” the report said.

Government rules adjust

Meanwhile, last December, the FCC updated its 16-year-old data breach reporting rules to ensure telecom providers adequately protect sensitive customer information. according to press releaseThe rules aim to “hold phone companies accountable for protecting sensitive customer information, while enabling customers to protect themselves if their data is compromised.”

“What makes no sense is leaving our policies stuck in the analog era,” FCC Chairwoman Jessica Rosenworcel said in a comment. statement Regarding changes. “Our phones now know a lot about where we go and who we are, and we need written rules that ensure telecom companies keep our information safe and secure online.”