Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
AT&T suffered a vast cyber security breach earlier this year, with hackers accessing the call and text message information of 110mn of the US telecoms company’s customers.
Over 11 days in April, “threat actors” accessed and copied records of customer calls and texts from a period of several months in 2022 as well as on January 2 2023, the company said in a regulatory filing on Friday.
The compromised data included files related to “nearly all” of its cellular customers, customers of mobile virtual network operators (MVNO) using its wireless network, and landline customers who interacted with those cellular numbers between May and October 2022. The company said the breach from January 2 affected “a very small number of customers”.
It is the second cyber security incident disclosed by AT&T this year, following an event in March. That also puts the Dallas-based group on a growing list of big US companies over the past 12 months that have contended with cyber security breaches, which includes healthcare giant UnitedHealth, consumer group Clorox, casino operators MGM Resorts International and Caesars Entertainment, and Supreme and North Face owner VF Group.
The US Securities and Exchange Commission last year imposed new requirements on companies to quickly disclose significant cyber attacks, albeit with exemptions that allow reporting to be delayed on national security or public safety grounds. The AT&T case is the first time a company has availed itself of such an exemption.
AT&T said it learnt of the breach on April 19 and that the US Department of Justice in May and June determined a delay in providing public disclosure was warranted. “We are co-operating with law enforcement in their ongoing investigation,” the company said, and “as part of that effort, we delayed the announcement so as to avoid undermining their work”.
At least one person has already been apprehended, the company said.
AT&T, the second-biggest wireless carrier in the US after Verizon, said it did not believe customers’ stolen records had been made publicly available. The data did not contain the content of calls or texts, or personal information, the company said.
It warned, though, that while the accessed information did “not include customer names, there were often ways, using publicly available online tools, to find the name associated with a specific telephone number”.
AT&T said it did not believe the incident was “reasonably likely” to materially affect its financial condition or results of operations. Its shares were down 1 per cent in early trading on Friday.
Under the SEC’s rule, when a company determines a cyber security incident is “material”, it must make a stock market announcement within four business days. But it may delay filing if the US attorney-general or a designated DoJ official determines that doing so would generate substantial risks to public safety or national security.
A DoJ official said companies should not fear coming forward early. “The rule is not supposed to be set up as a ‘gotcha’,” the official said. Engaging with the authorities “does not trigger a determination of materiality and start the clock” for disclosure.
AT&T said the customer data was downloaded from its workspace on a third-party cloud platform, and it had since closed off “the point of unlawful access”.
The company said in March that “AT&T data-specific fields” were contained in a data set released on the dark web but that it was not clear if the information was stolen from AT&T or a vendor. The company had no evidence of unauthorised access to its systems, it said at the time.
The data in that case appeared to be from 2019 or earlier, affecting approximately 73mn current or former customers.
Credit: Source link
