AT&T has begun notifying US government and regulatory authorities of a security incident after confirming that millions of customer records posted online last month were authentic.
In a legally required deposit With the Maine attorney general’s office, the US telecom giant said it sent letters notifying more than 51 million people that their personal information was compromised in the data breach, including about 90,000 people in Maine. AT&T too notified the California attorney general of the violation.
AT&T — the largest telecommunications company in the United States — said the breached data included customers’ full name, email address, mailing address, date of birth, phone number and Social Security number.
The leaked customer information dates back to mid-2019 and earlier. According to AT&T, the files contained valid data for more than 7.9 million current AT&T customers.
AT&T took action about three years after a subset of the leaked data first appeared online, preventing any meaningful analysis of the data. The full cache of 73 million leaked customer files was dumped online last month, allowing customers to verify their data was genuine. Some of the files contained duplicates.
The leaked data also included encrypted account passwords, which allow access to customer accounts.
Shortly after the full data set was released, a security researcher notified TechCrunch that the encrypted passwords found in the leaked data were easy to crack. AT&T reinstated those account passwords after TechCrunch alerted AT&T on March 26 about the risk to customers. TechCrunch has withheld its story until AT&T completes the process of resetting affected customer passwords.
AT&T eventually acknowledged that the leaked data belonged to its customers, including about 65 million former customers.
Companies that experience data breaches that affect large numbers of people are required to disclose the incident to US attorneys general under data breach notification laws. In its notices filed in Maine and California, AT&T said it is offering identity theft and credit monitoring to affected customers.
AT&T has not yet identified the source of the leak.
