STATEMENT: AT&T’s second data breach this year affects ‘nearly all’ customers

Media Contacts

Consumers should take steps to protect their privacy, finances

CLEVELAND — Phone giant AT&T says phone and text message records for “nearly all” cellphone customers were stolen during parts of 2022 and 2023. AT&T learned about the data breach on April 19 but only disclosed it Friday in a filing with the Securities and Exchange Commission. The company has about 110 million customers. 

AT&T blamed a third party that stores the company’s information on a cloud platform. The records stolen spanned from May 1, 2022 to Oct. 31, 2022, and on Jan. 2, 2023. The compromised information includes phone numbers of people who AT&T customers talked with, including AT&T customers with landlines/VoIP lines for their home phones. The information includes the numbers of calls and texts and the duration of phone calls involving the affected phone numbers. But the data doesn’t include any specific content of the texts or calls, the company said.

The stolen data also doesn’t include other personal information such as names, Social Security numbers or dates of birth. However, the company noted, “While the data doesn’t include customer names, there are often ways to find a name associated with a phone number using publicly available online tools.” That’s because of the vast availability of data that’s stolen, shared or sold to bad actors and data brokers. The company will notify affected customers.

This is AT&T’s second major data breach in four months. In March, it disclosed personal information, including Social Security numbers in some cases, for about 7.6 million current AT&T customers and about 65.4 million former customers. The company reset passwords for the 7.6 million customers.

Just 18 months ago, T-Mobile said it allowed records for about 37 million prepaid and postpaid accounts to get hacked. The disclosure came in a regulatory filing with the Securities and Exchange Commission. 

In response to the latest breach, PIRG’s Consumer Watchdog Teresa Murray said:

“It’s difficult to understand how, after all of this time, corporate giants with lots of resources can’t or won’t protect our information. This is exasperating and unacceptable. It’s been 16 years since this country had its first huge corporate data breach, Heartland Payment Systems, that affected 100 million payment records. Since then, we’ve had breaches by Facebook, Yahoo, LinkedIn and JPMorgan Chase, and the granddaddy, the devastating breach by Equifax in 2017.

“We all give our most personal data and financial information to these companies – retailers, health insurers, cellphone providers, utilities and more. We trust they’ll take care of it. But another company has failed us, and it’s blaming a third party. This is insulting and cowardly. AT&T has given the bad guys yet another data point they can sell to put us at even more risk.

“While we expect more, we should all assume that much of our data is in the hands of scammers and take precautions such as freezing our credit files and taking other easy steps to protect our financial lives and security.”

Contact Teresa at [email protected]

See our consumer guide:
Worried about a data breach or identity theft?
Here’s what to do now, soon and always