AT&T experienced a massive data breach. Earlier estimates suggested that roughly 73 existing and former customers had their data compromised. The company later confirmed that the actual number was 51 million. The interesting twist in the tale? One threat actor claimed to have leaked this data back in 2021. Know more about this massive exposure of sensitive information and service disruption in our AT&T Cyber Attack Timeline.
Our comprehensive AT&T Cyber Attack Timeline covers everything that led to the news-making data leak. Starting from 2021 when hackers allegedly claimed to be selling a massive AT&T customer database online to April 2024 when the telecom giant began notifying impacted customers and regulatory authorities.
Get your copy of the AT&T Cyber Attack Timeline documents.
Note: All our educational Cyber Attack Timelines are created with the singular purpose of elevating cybersecurity knowledge. The timelines are created based on information freely available on the Internet and news sources. Our endeavour is to present all the updates and events in an easy-to-understand Timeline format. We strongly believe that information is empowering and can help improve your preparation and cyber incident response. Studying recent attacks, how they were handled, what could have been done better are all essential steps in bolstering cyber defences against future attacks.
Topics covered in this article:
1. About the AT&T Cyber Attack
2. Lessons Learned from the Attack
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
In August 2021, the hacking group ShinyHunters claimed they have a database of approximately 70 million AT&T customers which they began selling online. The telecom giant denied the breach. In February 2023, AT&T customers began experiencing serious service outages.
While the company said the service disruption had nothing to do with a cybersecurity incident, in March that year, it began notifying customers that their sensitive information had potentially been compromised. The company said that the alleged breach was caused due to a vulnerability on the part of a marketing vendor.
The leaked data, potentially, includes full names, addresses, dates of birth, phone numbers, social security numbers, and account details of customers, all of which surfaced on the dark web. The telecom giant did commit to offering credit monitoring and identity theft detection services to impacted customers. However, the disclosure of the breach was soon followed by multiple Class Action lawsuits.
While the first lawsuit was filed in Texas on the same day that AT&T announced the breach, several others followed soon. The lawsuits primarily suggest that AT&T failed to implement adequate security measures to protection the sensitive information of its customers.
Many have also highlighted the company's "negligence" to properly investigate the claims of hackers auctioning off its data three years ago. One lawsuit also “accuses AT&T of negligence and breach of contract for failing to investigate the massive data breach for nearly three years.”
Major Update: In July, AT&T said that in a separate incident a threat actor unlawfully accessed and copied all AT&T call logs. The compromised data included nearly "all" of its customers who used its cellular and wireless networks between May 1, 2022 and October 31, 2023. The data also, apparently, contains information on all the calls and texts customers made, call durations and the number of times they interacted with others. The company has, however, said that the data doesn't contain the contents of calls or text messages.
Like every cyber attack, this one too contains important lessons on how to enhance organisational cybersecurity and incident response - the whole point of creating this timeline document. Some of the most compelling ones that stand to us are:
Data Security Protocols are Sacrosanct: Implementing robust, industry-standard cybersecurity measures is essential. No matter who you are as a business, you cannot escape the consequences of a data breach - be it reputational, legal or regulatory. You will face massive backlash, even if the data compromise was caused by a vulnerability in a vendor's product.
AT&T's breach highlights the need for continuous assessment and upgrading of security protocols to protect sensitive customer data. It also underlines the criticality of the conversation around third-party risk management that all global regulators are now emphasising on heavily.
Timely Detection and Response: Early detection and rapid response are the backbone of cyber resilience. Investing in threat detection systems alone is not enough. You have to demonstrate agility and commitment to mitigating the impact of any anomaly in your systems or risk to your data.
A major grouse that customers have with AT&T today is because of the fact that threat actors claimed to have leaked the data three years before the organisation confirmed the breach. Cyber Incident Response Plans that enable you to act quickly in such situations can help you avert the dangers of disgruntled customers and lawsuits, besides helping you to avoid dire consequences.
Customer Communication: Transparent and prompt communication with affected customers is crucial. Offering services such as credit monitoring and identity theft protection, as AT&T did, helps maintain customer trust and manage the fallout from breaches. Prioritising Crisis Communications and rehearsing the same through regular scenario-based Cyber Crisis Tabletop Exercises is essential today.
Vendor Management: This is yet another attack caused by a third-party vulnerability. It underscores what the update to NIST CSF, EU DORA and other industry standards and regulations have called for - stringent third-party security standards.
Having a strong hold over your internal cybersecurity infrastructure is no longer adequate. It is imperative to ensure that your vendors and supply chain follow the same security standards. You have to revisit your third-party security regularly, review contracts on data sharing and ensure that closure agreements are water-tight. It's the only way to reduce the possibility of supply chain attacks that are dominating cybersecurity headlines every other month.
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.