Connect with us

Data Breach

AT&T discovers five-year-old data breach affecting millions

Social security numbers and personal information were leaked. No evidence of unauthorized access found.

An AT&T retail store in Chicago.
Image: KnowTechie

AT&T is warning millions of current and former customers about a data breach that apparently happened five years ago.

In a statement published over the weekend, AT&T said it found customer information on the so-called “dark web” last month that appeared to originate from a database dating back to 2019.

AT&T said a review of the leaked data showed it appeared to be from 2019 and affected around 7.6 million current customers and over 65 million former customers.

The company affirmed that data in the leaked files included social security numbers and other personal information; separately, AT&T officials said some passwords were also disclosed in the data set.

AT&T said it investigated how the data was leaked on the Internet, asserting there was no evidence “of unauthorized access to its systems resulting in exfiltration of the data set.” The company suggested a vendor might have been involved in a security incident.

“As of today, this incident has not had a material impact on AT&T’s operations,” AT&T said.

Image: Jalopnik

Big Scale, Big Problems

AT&T is the largest wireless phone provider in the United States, serving more than 87 million postpaid phone customers and 19 million prepaid customers, according to the company’s financial disclosure reports.

Overall, AT&T connects more than 242 million devices across the country, including mobile hotspots, tablets, 5G laptops, and some law enforcement equipment operated through FirstNet.

Being a large wireless provider has some drawbacks, the chief one being that when something goes wrong, it tends to affect a lot of people.

Such was the case in February when an hours-long outage affecting the AT&T network left millions of customers unable to use their phones to make calls and access the wireless Internet.

AT&T offered a $5 credit to some affected customers; the Federal Communications Commission (FCC) has opened an investigation into the incident.

The data breach revealed on Saturday is not the first security incident to affect AT&T: Two years ago, the company made headlines after a trove of data connected to 70 million current and former customers was leaked on the dark web.

In 2010, security researchers pointed out a flaw in the way AT&T stored certain information related to its iPad customers that allowed some user data to be accessible on the open Internet.

And in 2001, a data breach affecting AT&T and Verizon was investigated after it was discovered some customer information was being traded in underground chat rooms.

AT&T is hardly alone in facing security issues: Rival phone provider T-Mobile has garnered its share of news over lackluster security practices allowing hackers to compromise their servers.

Last year, at least two separate security incidents at T-Mobile allowed unauthorized people to access customer information, and a “system glitch” last September allowed customers to see account information for lines that were not theirs. 

Verizon has also experienced various data breaches, including one last year that saw internal employee data leak after an unnamed staff member gained unauthorized access to their records, according to a report.

What to do if your data is compromised

First, look for a message from your service provider with information about the data breach and guidance on any steps you should take.

Some data breaches involve personal information like driver’s license numbers, social security numbers, home addresses, and birthdates, while others involve usernames and passwords—and some involve a mixture of both.

If your personal information has been compromised, it is generally a good idea to take advantage of free credit monitoring resources offered by your service provider.

In some states, service providers are required to offer basic, free credit monitoring resources for a certain amount of time—typically one or two years.

Federal law also requires credit monitoring agencies to provide you with one free comprehensive credit report per year, listing any attempts to open new credit accounts in your name.

For data breaches involving usernames and passwords, it’s always a good idea to take inventory of your usernames and passwords and change any that might be affected.

1password logo icon and blurred background
Image: KnowTechie

Changing the credentials on any account that uses a common password is also a good idea — especially if you’re someone who re-uses them (which security experts say is not a good idea).

Creating a new, hard-to-guess password might carry the additional burden of being difficult to remember; thankfully, there are many good (and, sometimes, free!) password managers that can help you stay on top of many accounts from a central location.

Last, if you’ve suffered any financial loss due to a data breach, you might have certain remedies available under state or federal law.

Some state consumer privacy laws allow customers to sue a company if their data was mismanaged in some way. For instance, if their username and password were stored on a server that wasn’t locked or encrypted.

In California, a recently enacted consumer privacy law allows people to sue a business if their information was compromised—but only if that information was stored unencrypted and unredacted.

If you are considering going this route, consulting with a local lawyer is always a good idea.

Have any thoughts on this? Drop us a line below in the comments, or carry the discussion to our Twitter or Facebook.

Editors’ Recommendations:

Follow us on Flipboard, Google News, or Apple News

Matthew Keys is an award-winning freelance journalist who covers the intersection of media, technology and journalism. He is the publisher of and a contributor to KnowTechie, StreamTV Insider (formerly Fierce Video) and Digital Content Next. Matthew is based in Northern California.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

More in Data Breach