AT&T data breach includes call information from some FirstNet users

July 14, 2024

4 Min Read
AT&T data breach includes call information from some FirstNet users

Call-information data from some FirstNet subscribers was part of the AT&T customer data that the carrier giant Friday announced was “illegally downloaded” in 2022 and early 2023, according to multiple sources familiar with the situation.

Official statements from AT&T and the FirstNet Authority did not directly address whether FirstNet subscribers’ call-information data was downloaded, but the statements indicated that FirstNet telephone numbers, counts of calls/texts and call durations were downloaded via “a third-party cloud platform.” In addition, multiple sources confirmed to IWCE’s Urgent Communications that such data from FirstNet users was part of the illegal download..

When asked by IWCE’s Urgent Communications whether FirstNet subscribers’ call information was downloaded, AT&T provided the following statement.

“The data downloaded covers AT&T records of calls and texts from telephone numbers that interacted with the AT&T commercial network,” according to the AT&T statement. “The majority of FirstNet’s subscribers as of the end of 2022 are not included in the compromised data.”

In response to another inquiry, AT&T stated that the fact that FirstNet operates on a separate network core from its commercial network makes a difference in such situations.

“Thanks to the certified completion of the initial network build, we’re providing a differentiated service level with greater operational control,” according to an AT&T statement to IWCE’s Urgent Communications. “FirstNet is America’s public safety network; it is not the AT&T commercial network.”

The FirstNet Authority—the federal-government entity that contracted AT&T to build and maintain the nationwide public-safety broadband network (NPSBN)—also provided a statement about the situation.

“The FirstNet Authority was made aware of an incident where AT&T customer data was illegally downloaded from its workplace on a third-party cloud platform,” according to the FirstNet Authority statement. “AT&T continues to work with law enforcement, which the company says has led to an apprehension.

“The FirstNet Authority takes all aspects of network security seriously. We are working closely with AT&T to address any concerns from FirstNet users.”

AT&T began investigating the matter in April after learning of a claim that AT&T call logs had “unlawfully accessed and copied AT&T call logs,” according to AT&T’s report on the matter that was filed yesterday with the Securities and Exchange Commission (SEC).

“Based on its investigation, AT&T believes that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023, as described below,” AT&T’s SEC filing states.

AT&T’s filing to the regulatory agency identified the type of call information that was downloaded.

“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information,” AT&T’s SEC filing states. “Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network.

“These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included.”

No subscriber names were included in the downloaded data, but AT&T’s filing acknowledges that “there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”

Although AT&T identified the issue with the call-information data in April, the U.S. Department of Justice determined that the matter should not be released publicly in May or June, according to the carrier’s SEC filing.

“On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted,” according to AT&T’s SEC filing. AT&T is now timely filing this report.

“AT&T is working with law enforcement in its efforts to arrest those involved in the incident. Based on information available to AT&T, it understands that at least one person has been apprehended. As of the date of this filing, AT&T does not believe that the data is publicly available.”

Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community