AT&T Cell Phone Data Breach Released Nearly All Customers’ Call Records

AT&T has announced yet another massive data breach, this time involving phone numbers and the private call records of around 110 million customers.

The telecom company announced this latest AT&T data breach in a report to the Securities and Exchange Commission (SEC) on Friday morning, indicating that hackers obtained customer phone number information through a cloud-based server company known as Snowflake, Inc., which hosts data for it and other major corporations.

AT&T also announced the data breach to customers through a press release issued this morning, detailing its ongoing investigation into the hack, which apparently occurred several years ago.

“Our investigation found that the downloaded data included phone call and text message records of nearly all of AT&T cellular customers from May 1, 2022 to October 31, 2022 as well as on January 2, 2023,” the company stated. “These records identify other phone numbers that an AT&T wireless number interacted with during this time, including AT&T landline (home phone) customers.”

The company notes that it does not believe the data is currently publicly available, and that AT&T is working with law enforcement. At least one arrest has already been made, the company indicates.

Snowflake Data Breaches

AT&T is just one of several companies who indicate their customers’ data was accessed through Snowflake, which claims to serve nearly 10,000 global customers, including banks, ticketing agents, and telecom companies. A recent Ticketmaster data breach, which potentially affects more than 500 million customers, was also linked to a breach of Snowflake’s security.

Snowflake, however, has said that its systems have not been compromised, and some claims have alleged that the data breaches were through EPAM Systems; another software firm and a partner with Snowflake. EPAM has also denied its systems were the source of the data.

Snowflake also stores data for MasterCard, Novartis, PepsiCo, Allstate Insurance, Capitol One, Jet Blue, Progressive, State Farm, and NBC Universal, among others.

AT&T ShinyHunters Data Breach

This is the second major AT&T data breach announced in recent months. The earlier reported hack, conducted by an online group known as ShinyHunters, led to more than 70 million customers’ personal identifying information (PII) being leaked on the Dark Web, including names, email addresses, social security numbers and other data.

Although information about the breach just recently came to light, a growing number of AT&T data breach lawsuits have been filed over the past few months, alleging that the company knew about the leaked data for years and failed to notify customers, exposing them to an increased risk of financial fraud.

The lawsuits indicate that those hackers gained access to the personal information of customers as early as August 2021, and publicly posted customer information on the Dark Web months ago. However, AT&T notice letters regarding the breach just recently started to be sent earlier this year, so the size and scope of the litigation is expected to continue to increase dramatically in the coming months.

AT&T Data Breach Lawsuits

Given common questions of fact and law raised in those complaints, the U.S. Judicial Panel on Multidistrict Litigation (JPML) established an AT&T data breach multidistrict litigation (MDL) last month, consolidating all complaints filed through the federal district court system in the U.S. District Court for the Northern District of Texas under Judge Ada E, Brown, who will shepherd the litigation through coordinated pretrial proceedings. So far, the claims only involve the first AT&T data breach announced earlier this year.

Now that an AT&T data breach MDL has been established for the lawsuits, it is expected that Judge Brown will establish a coordinated schedule for discovery to uncover how the customer information was released, steps that could have been taken to prevent the breach and how long AT&T knew about the problem.

If the parties fail to negotiate AT&T data breach lawsuit payouts for individual customers, it is likely that the Court will select a small group of representative cases to serve as early “bellwether” trials, which typically help the parties gauge how juries may respond to certain evidence and testimony that is likely to be repeated throughout the litigation. If AT&T fails to reach data breach settlements during the MDL proceedings, each individual claim may later be remanded back to the U.S. District Court where it was originally filed for trial.