AT&T has acknowledged a massive data breach exposing the sensitive information of nearly 73 million customers. The exposed information includes names, passwords, addresses, phone numbers, dates of birth, Social Security numbers and email addresses – a goldmine for scammers and other cybercriminals.
The breach has already sparked lawsuits, with the telecom giant facing a barrage of legal challenges from those affected by the security lapse.
Let’s break down exactly what we know so far – plus, why finance and accounts teams should be on high alert.
The scale of the breach is staggering: 7.6 million existing account holders and 65.4 million former customers have been impacted. Among this data are the passcodes for over 7 million customer accounts.
These passcodes, used as an additional security measure to access sensitive account details, could now be in the hands of malicious actors, potentially enabling them to gain unauthorised access to even more sensitive information – or, depending on whether customers reused passcodes cross different accounts or platforms, threat actors may even be able to access to organizational processes or payment details.
While much of the fallout unfolded across March and April of 2024, the breach actually began long before that.
In 2021, a threat actor known as ShinyHunters claimed to have hacked AT&T and attempted to sell the stolen data on the RaidForums cybercrime forum. At the time, the hacker demanded a starting price of $200,000, with incremental offers of $30,000 or an immediate sale for $1 million. AT&T was quick to refute these allegations, telling BleepingComputer that the leaked data did not appear to have originated from their systems and that there were no signs of a breach. “Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems,” the company stated.
ShinyHunters, undeterred, replied, “I don’t care if they don’t admit. I’m just selling.”
For nearly two years, AT&T maintained its stance, continuing to tell BleepingComputer that they saw no evidence of a breach in their systems and believed the data did not come from their end.
The plot thickened in March 2024. Another threat actor leaked the entire database for free on a hacking forum and claimed it was the same data that ShinyHunters had attempted to sell in 2021. It contained a trove of sensitive customer information, including names, addresses, phone numbers, dates of birth and Social Security numbers.
BleepingComputer’s investigation confirmed the legitimacy of the leaked data, with the website’s cybersecurity researchers verifying that the information matched that of known AT&T customers from 2021 and earlier.
On March 30, 2024, AT&T acknowledged the breach.
We know that the cost of data breaches can be huge yet difficult to quantify. However, any technical or operational fallout that AT&T might be facing will be compounded by legal challenges.
Multiple class-action lawsuits are being filed in the wake of the breach’s disclosure. One such suit, handled by Morgan & Morgan, alleges that the telecom giant failed to adequately protect its customers’ personal data.
“As the largest telecommunications company in the country, AT&T has a crucial duty to safeguard their current and former customers’ sensitive information,” a Morgan & Morgan spokesperson told BleepingComputer. “We allege AT&T knew about the vulnerability that allegedly led to this breach, but allowed it to occur by failing to act.”
The lawsuit further accuses AT&T of exacerbating the problem by failing to acknowledge the breach in a timely manner, leaving customers’ personal data vulnerable for more than two and a half years. Plaintiffs are seeking a range of remedies, including compensatory damages, restitution and credit monitoring services funded by the company.
A single data breach can have ripple effects that go far beyond the immediate consequences, endangering scores of other individuals and even entire ecosystems of businesses and organizations.
When data is exposed or traded between malicious actors, it’s common for people to think something along the lines of, “Well, it’s just my email address and phone number. What can they do with that sort of information?”
Even small bits of information can help scammers put together a more complete picture of their targets or pilfer even more sensitive information. And, concerningly, the information exposed in the AT&T breach is far more sensitive. Even if none of your organization’s information or your employees’ information has been exposed, the scale of the breach means that it’s likely that someone in your supply chain has been impacted.
Typically, all that cybercriminals need is one employee to click the wrong link or respond to the wrong email. Using ill-gotten data and personal information, scammers are able to hone their techniques for accomplishing this and make it easier to fall victim.
Unfortunately, as keepers of their organization’s money, accounts and finance teams are often on the frontlines of these scam attempts.
We take an in-depth look at this concept in a past webinar, How data breaches land at Finance’s door, which you can watch online or read the transcript.
There’s no silver bullet for protecting your business against scam or fraud attempts, but there are layers of security you can build up. These threats are multi-faceted, which means you should be reassessing a variety of mechanisms and vulnerabilities within your organization.
Typically, that means looking at three main areas:
How can you minimise insider threats without compromising culture? Find out 5 ways to do exactly that.
Crypto scams refer to any fraudulent practice in the cryptocurrency space aimed at tricking individuals into investing or giving away assets or …
A very real cyber risk lies within your business. Find out what you need to be aware of and how you can minimise insider threat risks.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
