AT&T data breach leaks info of 7.6M customers to dark web : NPR

An AT&T retailer in New York. The telecommunications firm mentioned Saturday {that a} knowledge breach has compromised the data tied to 7.6 million present prospects.

Richard Drew/AP

cover caption

toggle caption

Richard Drew/AP

An AT&T retailer in New York. The telecommunications firm mentioned Saturday {that a} knowledge breach has compromised the data tied to 7.6 million present prospects.

Richard Drew/AP

AT&T introduced on Saturday it’s investigating an information breach involving the non-public data of greater than 70 million present and former prospects leaked on the darkish net.

In response to details about the breach on the corporate’s web site, 7.6 million present account holders and 65.4 million former account holders have been impacted. An AT&T press launch mentioned the breach occurred about two weeks in the past, and that the incident has not but had a “materials influence” on its operations.

AT&T mentioned the data included within the compromised knowledge set varies from individual to individual. It may embrace social safety numbers, full names, e-mail and mailing addresses, cellphone numbers, and dates of start, in addition to AT&T account numbers and passcodes.

The corporate has thus far not recognized the supply of the leak, no less than publicly.

“Primarily based on our preliminary evaluation, the info set seems to be from 2019 or earlier,” the corporate mentioned. “At the moment, AT&T doesn’t have proof of unauthorized entry to its methods leading to theft of the info set.”

The corporate mentioned it’s “reaching out to all 7.6 million impacted prospects and have reset their passcodes,” through e-mail or letter, and that it plans to speak with each present and former account holders with compromised delicate private data. It mentioned it plans to supply “complimentary identification theft and credit score monitoring companies” to these affected by the breach.

Exterior cybersecurity consultants have been introduced in to assist examine, it added.

NPR reached out to some AT&T shops. The gross sales representatives in all circumstances mentioned they have been as but unaware of the breach.

On its web site, the telecommunications firm inspired prospects to intently monitor their account exercise and credit score experiences.

“Shoppers impacted ought to prioritize altering passwords, monitor different accounts and take into account freezing their credit score with the three credit score bureaus since social safety numbers have been uncovered,” Carmen Balber, govt director of the buyer advocacy group Shopper Watchdog, advised NPR.

An business rife with knowledge leaks

AT&T has skilled a number of knowledge breaches through the years.

In March 2023, as an illustration, the corporate notified 9 million wi-fi prospects that their buyer data had been accessed in a breach of a third-party advertising and marketing vendor.

In August 2021 — in an incident AT&T mentioned is just not related to the most recent breach — a hacking group claimed it was promoting knowledge referring to greater than 70 million AT&T prospects. On the time, AT&T disputed the supply of the info. It was re-leaked on-line earlier this month. In response to a Mar. 22 TechCrunch article, a brand new evaluation of the leaked dataset factors to the AT&T buyer knowledge being genuine. “Some AT&T prospects have confirmed their leaked buyer knowledge is correct,” TechCrunch reported. “However AT&T nonetheless hasn’t mentioned how its prospects’ knowledge spilled on-line.”

AT&T is certainly not the one U.S. telecommunications supplier with a historical past of compromised buyer knowledge. The difficulty is rife throughout the business. A 2023 knowledge breach affected 37 million T-Cellular prospects. Simply final month, an information leak at Verizon impacted greater than 63,000 individuals, nearly all of them Verizon staff.

A 2023 report from cyber intelligence agency Cyble mentioned that U.S. telecommunications firms are a profitable goal for hackers. The research attributed nearly all of latest knowledge breaches to third-party distributors. “These third-party breaches can result in a bigger scale supply-chain assaults and a higher variety of impacted customers and entities globally,” the report mentioned.

Authorities guidelines adapt

In the meantime, final December, the Federal Communications Fee (FCC) up to date its 16-year-old knowledge breach notification guidelines to make sure that telecommunications suppliers adequately safeguard delicate buyer data. In response to a press launch, the principles goal to “maintain cellphone firms accountable for shielding delicate buyer data, whereas enabling prospects to guard themselves within the occasion that their knowledge is compromised.”

“What is senseless is leaving our insurance policies caught within the analog period,” mentioned FCC Chairwoman Jessica Rosenworcel in a press release concerning the adjustments. “Our telephones now know a lot about the place we go and who we’re, we want guidelines on the books that make sure that carriers maintain our data protected and cybersecure.”