The headline was enough to grab the attention of every AT&T customer, as it reported that data on “nearly all” AT&T customers was compromised in the latest breach.
But further reading might have been reassuring. No Social Security numbers were leaked and no credit card information was taken.
“Our investigation found that the downloaded data included phone call and text message records of nearly all of AT&T cellular customers from May 1, 2022 to October 31, 2022 as well as on January 2, 2023,” the company said in a statement.
The records identify other phone numbers that an AT&T wireless number interacted with during that time, including AT&T landline customers. But again, no names, addresses, birthdays, or other personal data
Even the content of those calls and texts was not stolen. So, what’s the threat?
The hackers stole millions of AT&T customers’ telephone numbers, and the numbers the customers engaged with. While customers’ names were not associated with the numbers, AT&T noted that it is relatively easy, using online tools, to link names with numbers.
An unconfirmed report says AT&T paid millions of dollars to a hacker, in return for deleting the data.
New scams
Cybersecurity experts are concerned that the data haul will provide scammers with lots of ammunition to hatch new schemes, perhaps using artificial intelligence (AI) to analyze calling patterns and relationships.
The data also includes the location of the cell towers connected to the numbers. Using that data, hackers might be able to identify the person associated with a particular number and track their movements.
“It’s difficult to understand how, after all of this time, corporate giants with lots of resources can’t or won’t protect our information,” said PIRG’s consumer watchdog Teresa Murray. “This is exasperating and unacceptable.”
What does all of this mean for AT&T customers? Dominic Chorafakis, a cybersecurity expert at Akouto, says it’s hard to predict how hackers will use the stolen data. But he says a more targeted scam is a strong possibility.
“Hackers who have access to the information stolen from AT&T could search for all the numbers that have communicated with a particular service or company that the victims may not want others to know about, such as a known adult entertainment customer support number,” Chorafakis told ConsumerAffairs.
“Armed with this information, along with the phone numbers of everyone else each person has communicated with makes them potential targets for extortion where the hackers could threaten to disclose the information to the friends’ and coworkers’ numbers that are included in the stolen data unless they pay a ransom.”
AT&T customers should be skeptical of any unsolicited text or phone call claiming to be from a trusted source. Don’t click on links or call a number provided in a message.
If the message claims to be from your bank, verify that it is by looking up your bank’s website and calling the customer service number.