(Bloomberg) — A hack that compromised millions of communication and location records of AT&T Inc. customers undermines U.S. national security and represents one of the worst breaches on record of an American telecommunications provider, according to privacy and security experts. security.
Bloomberg’s Most Read
On Friday, AT&T disclosed that an unknown hacker had compromised its network in April and stolen call and text message records from nearly all of AT&T’s more than 100 million wireless customers over a five-month period in 2022 and 2023.
AT&T, the third U.S. wireless company, said the data did not include the audio of calls or the written content of messages, but did include records showing when a call or text message was made between individual phone numbers, as well as data of location. associated with some of the numbers. On a large scale, this information – known as metadata – can be used to create an intimate portrait of people’s lives and relationships.
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, said he was “flabbergasted” by the scale of the intrusion. “I can’t think of another breach that has these characteristics – it’s quite unique and horrific,” he said.
“It’s a comprehensive look into people’s private worlds,” Scott-Railton added. “It’s an absolute gold mine for anyone trying to uncover people’s secrets and the secrets of the U.S. government.”
The telecommunications sector is often a suitable target for hackers because of the sensitive personal information it holds, which is useful for criminals for extortion purposes and for foreign governments to spy on politicians, journalists, activists and others.
In 2021, cybersecurity experts accused Chinese hackers of infiltrating telecommunications companies across Southeast Asia for espionage purposes. Alleged Russian hackers have compromised Ukrainian telecommunications companies. Meanwhile, Western intelligence agencies have adopted similar tactics. In 2010, British surveillance agency Government Communications Headquarters infiltrated the network of Belgian carrier Belgacom to spy on communications, according to top-secret documents released by National Security Agency whistleblower Edward Snowden.
Common Occurrence
In the US, data breaches have been a common occurrence across the telecommunications sector. In March 2023, AT&T disclosed another hack in which it claimed that the account details of around 9 million customers were accessed. Separately, T-Mobile said in January 2023 that hackers stole data from about 37 million customers, but that trove contained names, addresses and dates of birth rather than call records or text messages.
AT&T’s latest attack appears to be much broader in scope than previously publicized breaches affecting the U.S. telecommunications sector, affecting not only nearly all of the company’s wireless subscribers but also those of non-US “mobile virtual network operators.” identified as using AT&T’s wireless network. .
“This data is some of the most detailed data a phone company has on its customers,” said Gus Hosein, executive director of the London-based human rights group Privacy International. “Drawing who is talking to who and when gives you a map of our personal lives. That’s why law enforcement and intelligence agencies are always trying to obtain exactly this data, and that’s why it must be protected.”
The hacker was able to obtain the data after accessing an AT&T system through a third-party cloud platform, according to AT&T’s Friday disclosure to the Securities and Exchange Commission. The company said the breach “did not have a material impact on AT&T’s operations, and AT&T does not believe this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations.”
However, privacy experts say the company will likely face backlash from lawmakers and regulators. The breach represented a “devastating privacy issue,” said Nathan Wessler, deputy director of the Speech, Privacy and Technology Project at the American Civil Liberties Union. Under U.S. law, Wessler said, customers’ phone records must be protected at the highest level.
“People with subpoena power and regulatory power should take a look at this,” Wessler said. “If AT&T is at fault here, either because it failed to secure systems or misled customers about the security of systems, it should be held accountable.”
The US Federal Bureau of Investigation said it was contacted by AT&T about the breach, and the Federal Communications Commission said it is investigating the matter.
–With assistance from Evan Gorelick.
Bloomberg Businessweek Most Read
©2024 Bloomberg LP
