Hackers have stolen half-a-year’s worth of calls and text messages from nearly every AT&T customer, the telecommunications company revealed on Friday.
AT&T, whose wireless network has 127 million devices connected to it, said they learned of the hack as far back as April but are only announcing it today.
Potential for Data to Be Matched with Names
Hackers “unlawfully accessed and copied AT&T call logs” that had been saved via third-party cloud platforms.
The company said, “While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”
Sensitive Information at Large Scale Stolen
While the content of the calls and messages was not compromised and personal information was not accessed, metadata (such as phone numbers) were breached and could be used “at large scales to reveal patterns and connections between people.”
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, has said the breach could constitute both a risk to businesses and individuals, as well as to national security.
Massive Scale of Hack
“These are incredibly sensitive pieces of personal information,” said Scott-Railton, who made comparisons to Edward Snowden’s massive national security leaks.
“When taken together at the scale of information that appears to be included in this AT&T breach, they present a massive NSA-like window into Americans’ activity,” said the researcher.
AT&T’s Cybersecurity Response to Breach
AT&T said it would contact impacted customers directly and said that they had “taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access.”
AT&T said the Justice Department had told them to announce details of the hack as far back as May of this year.
Sensitive Nature of Metadata Highlighted
Scott-Railton described the scale of the hack as “staggering” and added that the “damage isn’t limited to AT&T customers, but everyone they interacted with.”
He added, “Making matters worse, it looks like some of the data has cell site information. That means broad stroke location information that can be translated into intelligence about peoples’ locations and movements.”
Potential Long-Term Effects of Hack
Thomas Rid, a professor of strategic studies and the director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University, said more information would be needed before the scale of the threat is clear.
However, he added that the potential threat could be massive, saying, “If you have somebody’s metadata, you know when they go to work, where they go to work, where they sleep every night.”
Current Status of Stolen Data
“Based on information available to AT&T, it understands that at least one person has been apprehended,” the telecommunications company said.
They added that “AT&T does not believe that the data is publicly available,” and does not believe the hack will impact operations or the company’s financial results.
Previous AT&T Breach Increases Risk
The newly announced hack could present an increased risk to AT&T users because of a previous breach in March, where customers names and Social Security numbers were announced.
“AT&T data previously compromised and released will help threat actors map a large percentage of the phone numbers in these customer records to the actual victims impacted,” said Jake Williams, vice president of research and development at Hunter Strategy.
Senator’s Statement on AT&T Hack
Democratic Senator Ron Wyden criticized AT&T in a statement, saying, “This is not the first data breach revealed by a major phone company and it won’t be the last.”
He added, “These hacks, which are almost always the result of inadequate cybersecurity, won’t end until the FCC starts holding the carriers accountable for their negligence. These companies will keep shortchanging customer security until it hits them in the wallet with billion dollar fines.”