Millions of customers’ data found on dark web in latest AT&T data breach

An AT&T store in New York. The telecommunications company said Saturday that a data breach has compromised the information tied to 7.6 million current customers. (Richard Drew/AP)

An AT&T store in New York. The telecommunications company said Saturday that a data breach has compromised the information tied to 7.6 million current customers. (Richard Drew/AP)

AT&T announced on Saturday it is investigating a data breach involving the personal information of more than 70 million current and former customers leaked on the dark web.

According to information about the breach on the company’s website, 7.6 million current account holders and 65.4 million former account holders have been impacted. An AT&T press release said the breach occurred about two weeks ago, and that the incident has not yet had a “material impact” on its operations.

AT&T said the information included in the compromised data set varies from person to person. It could include social security numbers, full names, email and mailing addresses, phone numbers, and dates of birth, as well as AT&T account numbers and passcodes.

The company has so far not identified the source of the leak, at least publicly.

“Based on our preliminary analysis, the data set appears to be from 2019 or earlier,” the company said. “Currently, AT&T does not have evidence of unauthorized access to its systems resulting in theft of the data set.”

The company said it is “reaching out to all 7.6 million impacted customers and have reset their passcodes,” via email or letter, and that it plans to communicate with both current and former account holders with compromised sensitive personal information. It said it plans to offer “complimentary identity theft and credit monitoring services” to those affected by the breach.

External cybersecurity experts have been brought in to help investigate, it added.

NPR reached out to a few AT&T stores. The sales representatives in all cases said they were as yet unaware of the breach.

On its website, the telecommunications company encouraged customers to closely monitor their account activity and credit reports.

“Consumers impacted should prioritize changing passwords, monitor other accounts and consider freezing their credit with the three credit bureaus since social security numbers were exposed,” Carmen Balber, executive director of the consumer advocacy group Consumer Watchdog, told NPR.

An industry rife with data leaks

AT&T has experienced multiple data breaches over the years.

In March 2023, for instance, the company notified 9 million wireless customers that their customer information had been accessed in a breach of a third-party marketing vendor.

In August 2021 — in an incident AT&T said is not connected to the latest breach — a hacking group claimed it was selling data relating to more than 70 million AT&T customers. At the time, AT&T disputed the source of the data. It was re-leaked online earlier this month. According to a Mar. 22 TechCrunch article, a new analysis of the leaked dataset points to the AT&T customer data being authentic. “Some AT&T customers have confirmed their leaked customer data is accurate,” TechCrunch reported. “But AT&T still hasn’t said how its customers’ data spilled online.”

AT&T is by no means the only U.S. telecommunications provider with a history of compromised customer data. The issue is rife across the industry. A 2023 data breach affected 37 million T-Mobile customers. Just last month, a data leak at Verizon impacted more than 63,000 people, the majority of them Verizon employees.

A 2023 report from cyber intelligence firm Cyble said that U.S. telecommunications companies are a lucrative target for hackers. The study attributed the majority of recent data breaches to third-party vendors. “These third-party breaches can lead to a larger scale supply-chain attacks and a greater number of impacted users and entities globally,” the report said.

Government rules adapt

Meanwhile, last December, the Federal Communications Commission (FCC) updated its 16-year-old data breach notification rules to ensure that telecommunications providers adequately safeguard sensitive customer information. According to a press release, the rules aim to “hold phone companies accountable for protecting sensitive customer information, while enabling customers to protect themselves in the event that their data is compromised.”

“What makes no sense is leaving our policies stuck in the analog era,” said FCC Chairwoman Jessica Rosenworcel in a statement regarding the changes. “Our phones now know so much about where we go and who we are, we need rules on the books that make sure carriers keep our information safe and cybersecure.”

Copyright 2024 NPR. To see more, visit https://www.npr.org.

Want a digest of WHYY’s programs, events & stories? Sign up for our weekly newsletter.

Together we can reach 100% of WHYY’s fiscal year goal