Senator Demands Answers About AT&T Data Breach from Company, Federal Agencies

Several federal agencies are being questioned about when they were informed of the AT&T phone records data breach, and what measures they are taking to shore up cybersecurity.

Following a massive AT&T data breach that resulted in the theft of tens of millions of customers’ phone and text messaging history, a U.S. Senator has sent a request for more information about how the breach occurred and when federal agencies learned about the problems, suggesting that cyberattack could represent a threat to national security.

Senator Chuck Grassley, of Iowa, issued a press release on August 5, announcing he has sent letters to AT&T and 17 federal agencies, demanding they turn over records related to the most recently reported data breach, which impacted about 100 million customers. He called for a response from AT&T and the affected agencies by later this month.

AT&T Data breaches

The AT&T phone records data breach was revealed last month in a report to the Securities and Exchange Commission, followed by a press release to customers detailing the telecom giant’s ongoing investigation into the hack, which apparently occurred several years ago.

AT&T indicates that the data included phone call and text message records involving nearly all AT&T cellular customers from May 1, 2022, to October 31, 2022, and again on January 2, 2023.

Although the company maintains that the data has not been publicly released or sold on the Dark Web, cybersecurity experts warn the breach could pose a serious risk for consumers.

This is the second major AT&T data breach announced in recent months. The earlier reported hack, conducted by an online group known as ShinyHunters, led to more than 70 million customers’ personal identifying information (PII) being leaked on the Dark Web, including names, email addresses, social security numbers and other data.

A growing number individuals have filed AT&T data breach lawsuits over the earlier ShinyHunters incident, raising allegations that the company knew about the leaked data for years and failed to notify customers, exposing them to an increased risk of financial fraud.

According to the press release, Senator Grassley, the Ranking Member of the powerful Senate Budget Committee, sent letters on August 2 to AT&T and the following federal agencies:

• Department of Agriculture
• Department of Commerce
• Department of Defense
• Department of Education
• Department of Energy
• Department of Health and Human Services
• Department of Homeland Security
• Department of Housing and Urban Development
• Department of the Interior
• Department of Justice
• Department of Labor
• Department of State
• Department of Transportation
• Department of the Treasury
• Department of Veterans Affairs
• Executive Office of the President
• Federal Bureau of Investigation

The letter to AT&T’s CEO, John Stankey, called on the company to explain how the data breach happened, and what AT&T is doing to prevent future data breaches.

Grassley urged the company to answer numerous questions by August 16, including how the data breach was discovered, when the company notified federal authorities, and how many agencies were impacted. He also asked similar questions of U.S. agencies, seeking information on their awareness of the breach and their communications with AT&T, as well as what measures they are taking to secure their data following the breaches.

“Bad actors accessed 90 million Americans’ data, which potentially included federal agencies’ communications patterns. That’s a significant national security threat waiting in the wings,” Senator Grassley wrote. “Congress ought to know exactly what outstanding vulnerabilities we’re dealing with, as well as how AT&T and the executive branch are actively mitigating future risks.”

AT&T Data Breach Lawsuits

Affected customers have filed a growing number of AT&T data breach lawsuits since the incidents were announced, including both individual and class action claims.

Following the first leak, the U.S. Judicial Panel on Multidistrict Litigation (JPML) established consolidated pretrial proceedings for all AT&T data breach lawsuits filed over that security failure, centralizing claims brought throughout the federal court system before U.S. District Judge Ada Brown in the Northern District of Texas for coordinated discovery and pretrial proceedings.

However, several plaintiffs petitioned the JPML last month to establish a separate AT&T phone records data breach MDL, which involves a completely different security failure and may be centralized before a different judge in a different venue.

It is expected that the JPML will consider oral arguments over the motion during an upcoming hearing scheduled for September 26, 2024, in Nashville, Tennessee.