On Friday July 12, AT&T disclosed that the phone records of almost all current and former AT&T customers were stolen by hackers in April 2024 (AT&T notified the SEC at that time, at which point the US Department of Justice determined a delay in making the breach public was warranted). This breach affects more than just AT&T customers -- it involves anyone an AT&T customer called or texted when the logs were stolen.

What was stolen and from who?

The data breach involved data AT&T was storing on a third party cloud storage company that was left poorly secured. It includes records of calls and texts – including information about who users called and texted, when, and for how long. Nearly all AT&T cellular customers, mobile virtual network operators customers using AT&T’s network are impacted, as well as AT&T landline customers who interacted with these cellular numbers between May 1, 2022, and October 31, 2022, and for a few customers from January 2, 2023 are impacted by the breach.

The contents of calls and text messages were not included in the hack. And while names, social security numbers and credit card details also weren’t included in the data breach, most phone numbers can be tied back to people’s names, so hackers will likely be able to identify who is close to whom. This data also included cell tower information for at least some customers, meaning hackers could get location information about the area where AT&T customers live, and where they go. This data is considered so sensitive that police need a warrant to access it.

We’re worried that hackers could use this information to try and impersonate family members, work colleagues, or even financial institutions to trick victims.

This data breach really highlights the dangers of companies collecting so much of our personal information and not protecting it or respecting it. Hackers accessed this call log data illegally, leaving consumers’ privacy and safety at risk. People should also know that AT&T’s own privacy policy says they can legally sell the personal information they collect on their users, which also puts consumers' privacy and safety at risk. The only difference is one is legal and one is not. Which is why the US needs a strong, consumer-focused federal privacy law.

Jen Caltrider, *Privacy Not Included

Timeline

  • April 14 - 25, 2024 -- Reported time during which the the stolen call logs where taken.
    • May 1, 2022 - October 31, 2022, & January 2023 = dates of compromised call log data.
  • April 19, 2024 -- AT&T says they learned of hackers claims to have stolen AT&T consumer call logs.
  • May 9, 2024 -- US Dept of Justice says a delay in publicly disclosing the data breach was warranted.
  • May 17, 2024 -- A hacker from the ShinyHunters hacking group claims AT&T made a $373,646 ransom payment in regards to this data breach.
  • June 5, 2024 -- US Dept of Justice again says a delay in publicly disclosing the data breach was warranted.
  • July 12, 2024 -- AT&T issues public press release alerting public to this data breach.

I’m not an AT&T customer, am I at risk?

Unfortunately yes, if you have ever been called or texted by an AT&T customer, it is likely your number is represented in this stolen data, which could put you at risk. That includes people outside of the U.S.

I am an AT&T customer, am I at risk?

AT&T says it will notify customers that have been affected by text, email or physical mail, but if you used AT&T mobile service from May to October 2022, or on Jan. 2, 2023 you should assume your records were stolen.

In their press release, AT&T says “At this time, we do not believe that the data is publicly available.”

What can you do? Privacy tools and tips

There are some things you can do to better protect yourself. In general, the less the personal information a company has on you, the safer you are. So only share what you need to to get the service and nothing more. You can also:

  • Brush up on the Federal Trade Commission’s tips to avoid getting scammed.
  • Always set-up two-factor (2FA) authentication on all your personal accounts and consider using a “second factor” that isn’t a text message, since those can be faked by bad actors more easily. Learn more about how to set up two-factor authentication here.
  • Use a more private and secure messaging app like Signal that offers end-to-end encryption instead of texting.
  • Check the company's website and privacy policy and see if you can opt-out of having your data sold and/or shared.
  • Request the company delete your personal data frequently. The less data they have on you, the safer you are.

And it's probably a good idea to sign up for a free data breach alert service like Mozilla Monitor so that you can be sure you'll be notified when your personal information is included in a breach.

All that being said, let us be clear: It should not be on you to prevent your information from being breached, hacked, and stolen. And you should absolutely get angry that companies don’t and won’t guarantee that your personal information is safe in their hands. AT&T’s own privacy policy warns that “No security measures are perfect. We can’t guarantee that your information will never be disclosed.” Ugh.

Help push for strong consumer privacy protections

Companies like AT&T collect enormous amounts of personal information on us every day. And we just have to trust them to protect and respect all that data. Too often, they simply don’t (here’s a list of AT&T’s data breaches through 2023, it doesn’t include this most recent breach). A quick look at AT&T’s privacy policy shows that the company doesn’t just collect a whole lot of personal information, they also sell that information to make money and share it to target you with very personalized ads. AT&T puts the burden on you to opt-out of having your data sold.

AT&T’s privacy policy also clearly states they can’t and won’t guarantee they can keep all the information they collect on you secure and safe from data breaches like this one. All of this is horrible. It’s also standard operating procedure for companies today. This is why we need much stronger consumer-focused privacy laws. And, what we really desperately need now and going forward, is to no longer allow companies to collect so much of our personal information and use it to make money and only say, “Oops” when they don’t protect or respect it.

Privacy is a human right and it’s about time we treat it that way. We need to give humans more rights to privacy than we give companies rights to our personal data. So please, get angry and make phone calls to tell our policy makers enough is enough -- we need a strong privacy law now!

Jen Caltrider

Jen Caltrider

During a rather unplanned stint working on my Master’s degree in Artificial Intelligence, I quickly discovered I’m much better at telling stories than writing code. This discovery led to an interesting career as a journalist covering technology at CNN. My true passion in life has always been to leave the world a little better than I found it. Which is why I created and lead Mozilla's *Privacy Not Included work to fight for better privacy for us all.

Zoë MacDonald

Zoë MacDonald

Zoë is a writer and digital strategist based in Toronto, Canada. Before her passion for digital rights led her to Mozilla and *Privacy Not Included, she wrote about cybersecurity and e-commerce. When she’s not being a privacy nerd at work, she’s side-eyeing smart devices at home.

*Privacy Not Included