Remember all the headlines about AT&T customer data of more than 70 million people showing up on the internet again after a previous leak? Now AT&T has filed a notice with the Maine Attorney General’s Office about the incident.
Here are two things to note about their notification to Maine:
AT&T filed the notification
The party responsible for a breach or incident is the party responsible for filing a notice to regulators. Since 2021 when data first appeared on a hacking forum, AT&T first claimed it was not from their system. More recently, they claimed it was not clear where it was from. Is AT&T now admitting that the data came from their system?
Yes. Their notification states:
What happened? On March 26, 2024, we determined that AT&T customer information was included in a dataset released on the dark web on March 17, 2024.
A number of consumers — millions, even — may be furious because AT&T could have determined that in August 2021. Why did they only first determine it in March 2024? If news outlets had not persisted in questioning AT&T and reporting findings, would AT&T ever have admitted it was their data? As Bleeping Computer reports:
After BleepingComputer confirmed that the data belonged to AT&T and DirectTV accounts, and TechCrunch reported AT&T passcodes were in the data dump, AT&T finally confirmed that the data belonged to them.
AT&T’s notification repeats what was previously known in terms of the types of information involved:
The information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode. To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier.
The telecom offers those affected complimentary credit monitoring services, although given that the data started circulating in 2021, their offer may be too little, too late.
What is AT&T doing to help? We’re offering you the complementary credit monitoring, identity theft detection and resolution services described above. If you have an active account that was impacted, we’ve taken precautionary measures and reset your passcode. A passcode is a numerical PIN, usually four digits, used in addition to your password as an extra layer of protection for your account. Additionally, we launched a robust investigation supported by internal and external cybersecurity experts, and we are regularly reviewing and updating the measures we take to protect your information.
They report 51,226,382 customers were affected
Why 51 million when all the headlines were about more than 70 million? AT&T provided Bleeping Computer with a statement indicating that some customers had more than one account in the dataset, and some customers did not have sensitive information involved.
A copy of AT&T’s notification letter is linked from their report to Maine.