AT&T data breach: What LIers can do to protect their online identity

AT&T disclosed Friday morning that nearly all its customers were affected by a data breach that exposed call and text message records from a six-month stretch in 2022.

The Dallas-based company said it discovered the breach in April. The data includes the phone numbers that customers called or texted but not the content of calls or text messages, Social Security numbers, dates of birth or other personally-identifiable information.

AT&T said the breach also did not include customers’ names but it cautioned that publicly available online tools can identify names associated with phone numbers. The company said it does not believe the breached data is available online.

The breach occurred through an illegal download of customer data from AT&T's workspace on the third-party cloud data platform Snowflake. 

“We have taken steps to close off the illegal access point,” AT&T said in a statement Friday. “We are working with law enforcement in its efforts to arrest those involved in the incident. We understand at least one person has been apprehended."

Here’s what Long Islanders need to know about the breach:

Who is affected?

AT&T cellular customers; customers of cellular companies that use AT&T’s network, such as Boost Mobile, Cricket Wireless and Consumer Cellular; and AT&T landline customers who interacted with those cell numbers between May 1, 2022, and Oct. 31, 2022.

AT&T had about 110 million wireless subscribers at the end of 2022, according to its annual report.

How do I know if my data has been affected?

AT&T said it will contact affected customers by text, email or U.S. mail. Consumers and businesses can also log in to their myAT&T accounts to check on their status.

What risks does this incident pose to affected customers?

Just because the breach doesn’t include information such as credit card numbers doesn’t mean the data won’t be used maliciously, said Steve Morgan, founder of Northport-based Cybersecurity Ventures and publisher of Cybercrime magazine.

“It's a myth that if a breach only contains email addresses or cell phone numbers, but no other sensitive info i.e. credit card numbers, etc., then there's no risk,” Morgan said. “On the contrary, the reality is that cybercriminals crave and use emails and cell numbers to launch mass phishing attacks with customized subject lines and messages to unsuspecting victims.”

How could this data be used?

Morgan gave an example in which an affected AT&T customer receives a text message that says, “Your AT&T refund in the amount of $73.50 is now available.” Those who click the link may face a ransomware attack in which users unsuspectingly install malicious software that holds their data or device hostage until they pay a ransom.

Another scenario would involve directing consumers to a fake AT&T web page, where users are asked to give their personal information, Morgan said.

Is this connected to AT&T’s March breach?

AT&T told CNN the latest incident was not related to an earlier breach, reported in March, in which personal data, including Social Security numbers, of 73 million current and former customers from 2019 was released on the dark web, a part of the web accessible only using certain software which keeps users anonymous. 

While there's a danger to every breach, the April incident which revealed customer phone numbers and calls to other numbers doesn't provide all that's needed for financial crimes, said James E. Lee, chief operating officer at the San Diego-based Identity Theft Resource Center. 

"In this particular case, somebody who's financially motivated, they're going to have to have a lot of other information [on individuals] to be able to cross reference," he said.

What should AT&T customers do?

AT&T advised customers to be wary of text messages or calls from phone numbers they don’t recognize. Don’t reply to texts from unknown numbers with personal details. Initiate phone calls or website visits to make payments instead of using links provided in a text message.

Morgan added that all AT&T customers should change their passwords and enable multifactor authentication.

Lee, at the Identity Theft Resource Center, encouraged consumers to freeze their credit, which restricts access to a person's credit report. Consumers would need to freeze their credit with each of the three major credit bureaus — Equifax, Experian and TransUnion — to prevent new accounts from being opened in their names. Consumers will be unable to open new accounts but can temporarily lift the credit freeze. 

"That keeps anyone from using that information to impersonate us to set up a new credit account or access an existing account," Lee said. 

Why are there so many data breaches? 

The Identity Theft Resource Center documented 3,205 instances when data was compromised last year, affecting 353 million people. That was up 78% compared with 2022. 

While individuals can't control whether their data is compromised, they can take steps, such as freezing their credit or using password managers, to make their personal information less valuable if cybercriminals do gain access, Lee said. 

Still, consumers shouldn't be satisfied with the status quo, he said. 

AT&T customers "should be very frustrated," Lee said. "They should be angry that this continues to happen. We don't have a regulatory structure in this country that protects consumer information to the degree that you have outside the U.S." 

By Jonathan LaMantia

jonathan.lamantia@newsday.com@jonlamantia

Jonathan LaMantia covers residential real estate and other business news on Long Island. He previously covered the business of health care for Crain's New York Business.