A hack that has compromised millions of AT&T customers’ communication and location records undermines US national security and represents one of the worst breaches of an American telecommunications provider on record, according to privacy and security experts.
On Friday, AT&T disclosed that an unknown hacker had compromised its network in April and stolen records of calls and text messages from nearly all of AT&T’s more than 100 million wireless customers through a five-month period in 2022 and 2023.
AT&T, the third largest wireless company in the US, said the data didn’t include the audio of calls or the written contents of messages, but included records showing when a call or text was made between individual phone numbers as well as location data associated with some of the numbers.
At scale, such information – known as metadata – can be used to create an intimate portrait of people’s lives and relationships.
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, said he was “flabbergasted” by the scale of the intrusion. “I can’t think of another breach that has these features — it’s pretty unique and horrible,” he said.
“It’s a comprehensive view into people’s private worlds,” Scott-Railton added. “It’s an absolute goldmine to anybody trying to figure out both people’s secrets and US government secrets.”
The telecommunications sector is often a ripe target for hackers due to the sensitive personal information that it holds, which is useful to criminals for the purposes of extortion and for foreign governments to spy on politicians, journalists, activists and others.
‘Map of our personal lives’
In 2021, cybersecurity experts accused Chinese hackers of infiltrating telecoms companies across Southeast Asia for the purposes of espionage. Suspected Russian hackers have allegedly compromised Ukrainian telecoms firms. Western intelligence agencies have adopted similar tactics. In 2010, the British surveillance agency Government Communications Headquarters infiltrated the network of Belgian carrier Belgacom in order to eavesdrop on communications, according to top-secret documents leaked by the National Security Agency whistle-blower Edward Snowden.
In the US, data breaches have been a common occurrence across the telecoms sector. In March 2023, AT&T disclosed another hack in which it said some nine million customers’ account details had been accessed. Separately, T-Mobile in January 2023 said that hackers had stolen data on some 37 million customers, but that trove contained names, addresses and dates of birth, rather than records of calls or texts.
Read: Miner Sibanye-Stillwater hit by cyberattack
The latest AT&T attack appears to be far greater in scope than previously disclosed breaches affecting the telecoms sector in the US, touching not only almost all of the company’s wireless subscribers but also those of unnamed “mobile virtual network operators” who were using AT&T’s wireless network.
“This data is some of the most detailed data that a telephone company holds on its customers,” said Gus Hosein, executive director at London-based rights group Privacy International. “Drawing out who is speaking to who, and when gives you a map of our personal lives. This is why law enforcement and intelligence agencies are always trying to get their hands on exactly this data, and it’s why it must be secured.”
The hacker was able to obtain the data after accessing an AT&T system through a third-party cloud platform, according to AT&T’s disclosure on Friday to the US Securities and Exchange Commission. The company said that the breach had “not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations”.
However, privacy experts say the company is likely to face blowback from lawmakers and regulators. The breach represented a “devastating privacy issue”, said Nathan Wessler, deputy director of the American Civil Liberty Union’s Speech, Privacy, and Technology Project. Under US law, Wessler said, customers’ phone records are supposed to be protected at the highest level.
“People with subpoena power and regulatory power should be taking a look at this,” said Wessler. “If AT&T is at fault here, either because it didn’t secure systems or misled customers about the security of systems, it should be held to account.”
The US Federal Bureau of Investigation said it has been contacted by AT&T about the breach, and the Federal Communications Commission said it’s investigating the matter. — Ryan Gallagher, (c) 2024 Bloomberg LP