The telephone giant seems more chill than many of its customers, now learning that records of essentially all their calls and texts (but not the content of those communications) between May and the end of Oct. 2022, along with Jan. 2nd, 2023, are in the hands of hackers. AT&T says it “does not believe” the data has been made public.
“As of the date of this filing, this incident has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations,” the company stated in an 8K filing with the SEC on July 12th.
The Federal Communications Commission (FCC) has now launched an investigation of the hack.
AT&T says it learned of the hack on April 18th, but the US Department of Justice agreed the company could keep the hack quiet while law enforcement investigate. At least one hacker has apparently been apprehended, according to the company.
The company is pointing the finger at one of its cloud providers, identified in the media as Snowflake, which apparently has other recent breaches.
The telecom leader appears to be minimizing the potential impact of the hack because, in effect, only phone numbers and metadata associated with them were lost, rather than the content of the messages/calls and names and personal information of customers. But media reports are more alarming: “The trove represents a potential minefield of potential privacy and national security issues, for intelligence agents, police officers, stalking victims, journalists, therapists, an endless list of disturbing possibilities. AT&T has almost 115 million customers.”
One alarmed social media user noted that criminals in possession of the data could identify the phone numbers of those who called a business, then use the data to call them back pretending to be the business and scam them.
Customers can get more information at the link in this AT&T press release.
“AT&T has taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access. AT&T will provide notice to its current and former impacted customers,” the company said in its filing.
There’s no mention on cyber insurance in the filing, but we imagine that topic will be coming up and we’ll stay on top of the story.
Other News: SEC Reveals Its Cyber Reporting Rule, Scrambling and Confusion Sure to Follow (Opens in a new browser tab)