AT&T Informs Regulators of Data Breach Exposing Millions of Customer Records

AT&T has initiated the process of informing state authorities and regulators in the United States about a security breach.

This action comes after verifying the authenticity of millions of customer records that surfaced online last month.

In compliance with legal obligations, AT&T has submitted notifications to state attorney general offices, including those of Maine and California, disclosing that over 51 million individuals have been affected by the breach, with approximately 90,000 of them residing in Maine.

As the largest telecommunications company in the United States, AT&T confirmed that the compromised data included customers' full names, email addresses, mailing addresses, dates of birth, phone numbers, and Social Security numbers. The leaked information was dated back to mid-2019 and earlier, with records containing valid data pertaining to more than 7.9 million current AT&T customers.

Although the breach has being detected three years after a subset of the leaked data initially surfaced online, AT&T's delayed response prevented a comprehensive analysis of the data. The full dataset of 73 million leaked customer records was only made public last month, allowing affected customers to verify the authenticity of their compromised information. Notably, the leaked data also included encrypted account passcodes, posing a significant risk to customer account security.

Following the publication of the complete dataset, a security researcher alerted TechCrunch that the encrypted passcodes within the leaked data were susceptible to decryption. Acting swiftly upon TechCrunch's notification on March 26, AT&T reset the affected account passcodes to mitigate the potential threat to customer security. TechCrunch refrained from publishing the story until AT&T had completed the process of resetting the passcodes.

In acknowledging the breach, AT&T confirmed that the leaked data belonged to both current and former customers, estimating that approximately 65 million former customers were impacted. Under state data breach notification laws, companies are mandated to disclose incidents affecting large numbers of individuals to state attorneys general. In its notifications filed in Maine and California, AT&T pledged to provide affected customers with identity theft and credit monitoring services.

Despite extensive efforts, AT&T has yet to determine the source of the data leak, leaving customers concerned about the security of their personal information. As investigations continue, AT&T remains committed to prioritizing customer data security and mitigating the impact of the breach on affected individuals.