AT&T data breach exposes 73m customers’ information, sparks lawsuits

Who is impacted and what was exposed?

The scale of the breach is staggering: 7.6 million existing account holders and 65.4 million former customers have been impacted. Among this data are the passcodes for over 7 million customer accounts.

These passcodes, used as an additional security measure to access sensitive account details, could now be in the hands of malicious actors, potentially enabling them to gain unauthorised access to even more sensitive information – or, depending on whether customers reused passcodes cross different accounts or platforms, threat actors may even be able to access to organizational processes or payment details.

A timeline of the AT&T breach

While much of the fallout unfolded across March and April of 2024, the breach actually began long before that.

In 2021, a threat actor known as ShinyHunters claimed to have hacked AT&T and attempted to sell the stolen data on the RaidForums cybercrime forum. At the time, the hacker demanded a starting price of $200,000, with incremental offers of $30,000 or an immediate sale for $1 million. AT&T was quick to refute these allegations, telling BleepingComputer that the leaked data did not appear to have originated from their systems and that there were no signs of a breach. “Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems,” the company stated.

ShinyHunters, undeterred, replied, “I don’t care if they don’t admit. I’m just selling.”

For nearly two years, AT&T maintained its stance, continuing to tell BleepingComputer that they saw no evidence of a breach in their systems and believed the data did not come from their end.

The plot thickened in March 2024. Another threat actor leaked the entire database for free on a hacking forum and claimed it was the same data that ShinyHunters had attempted to sell in 2021. It contained a trove of sensitive customer information, including names, addresses, phone numbers, dates of birth and Social Security numbers.

BleepingComputer’s investigation confirmed the legitimacy of the leaked data, with the website’s cybersecurity researchers verifying that the information matched that of known AT&T customers from 2021 and earlier.

On March 30, 2024, AT&T acknowledged the breach.

What consequences does AT&T face?

We know that the cost of data breaches can be huge yet difficult to quantify. However, any technical or operational fallout that AT&T might be facing will be compounded by legal challenges.

Multiple class-action lawsuits are being filed in the wake of the breach’s disclosure. One such suit, handled by Morgan & Morgan, alleges that the telecom giant failed to adequately protect its customers’ personal data.

“As the largest telecommunications company in the country, AT&T has a crucial duty to safeguard their current and former customers’ sensitive information,” a Morgan & Morgan spokesperson told BleepingComputer. “We allege AT&T knew about the vulnerability that allegedly led to this breach, but allowed it to occur by failing to act.”

The lawsuit further accuses AT&T of exacerbating the problem by failing to acknowledge the breach in a timely manner, leaving customers’ personal data vulnerable for more than two and a half years. Plaintiffs are seeking a range of remedies, including compensatory damages, restitution and credit monitoring services funded by the company.

Why the breach heightens risks for businesses and individuals

A single data breach can have ripple effects that go far beyond the immediate consequences, endangering scores of other individuals and even entire ecosystems of businesses and organizations.

When data is exposed or traded between malicious actors, it’s common for people to think something along the lines of, “Well, it’s just my email address and phone number. What can they do with that sort of information?”

Even small bits of information can help scammers put together a more complete picture of their targets or pilfer even more sensitive information. And, concerningly, the information exposed in the AT&T breach is far more sensitive. Even if none of your organization’s information or your employees’ information has been exposed, the scale of the breach means that it’s likely that someone in your supply chain has been impacted.

Typically, all that cybercriminals need is one employee to click the wrong link or respond to the wrong email. Using ill-gotten data and personal information, scammers are able to hone their techniques for accomplishing this and make it easier to fall victim.

Unfortunately, as keepers of their organization’s money, accounts and finance teams are often on the frontlines of these scam attempts.

We take an in-depth look at this concept in a past webinar, How data breaches land at Finance’s door, which you can watch online or read the transcript.

How to keep your business safe after a major data breach

There’s no silver bullet for protecting your business against scam or fraud attempts, but there are layers of security you can build up. These threats are multi-faceted, which means you should be reassessing a variety of mechanisms and vulnerabilities within your organization.

Typically, that means looking at three main areas:

1. People. Are your teams trained to recognise scam attempts, including new and emerging AI-enabled threats like deepfakes? When was the last time they went through training? Many successful scams depend on human error, so it’s critical that employees are aware of threats and how to spot the warning signs.
2. Processes. Since human error is often one of your biggest vulnerabilities, how many of your processes depend on human infallibility? Are there ways to fortify or automate parts of your payment processes? If you want to be sure about vulnerabilities, it’s smart to pressure-test your processes, especially with new AI threats in mind.
3. Technology. When security controls are highly manual, the risk of human error increases – so don’t cede the technological advantage to cybercriminals. Automating certain processes reduces the risk of human error or negligence, while real-time alerts equip employees to make better decisions.