AT&T now says call information for most 2022 FirstNet users downloaded in data breach

After stating last week that most FirstNet users’ call information was not exposed during an illegal download announced this week, AT&T last week said the FirstNet call-information exposure is “similar” to the carrier’s broader customer base—a proportion previously described as “nearly all” AT&T cellular customers.

“Our initial assessment of the percentage of FirstNet numbers in the compromised data was incorrect,” according to a statement from AT&T. “We now believe the proportion of FirstNet numbers included in the data is similar to that of our broader customer base.”

On July 12, AT&T announced that customer call-information data was illegally downloaded. This data “includes files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022 – October 31, 2022,” according to AT&T’s July 12 press release about the matter.

AT&T provided the updated assessment to IWCE’s Urgent Communications on Friday afternoon, less than a week after the carrier provided IWCE’s Urgent Communications with a statement indicating that most FirstNet users’ call information—primarily from a period in 2022—was not compromised during the data breach. The call-information data was illegally downloaded from its “workplace on a third-party cloud platform,” according to AT&T.

“The data downloaded covers AT&T records of calls and texts from telephone numbers that interacted with the AT&T commercial network,” according to AT&T original statement from July 13. “The majority of FirstNet’s subscribers as of the end of 2022 are not included in the compromised data.”

This initial AT&T assessment proved to be inaccurate, as outlined in the new statement on July 19 outlined. In addition to providing the new assessment, the most recent AT&T statement includes other clarifications.

“To be clear, this was not an attack on either the FirstNet network or AT&T commercial network,” according to the latest AT&T statement about the matter. “This was an illegal download from an AT&T workspace on a third-party cloud platform.

“We take protecting FirstNet data very seriously. And we’ll continue to work with the FirstNet Authority and the public-safety community to ensure FirstNet is effectively serving the nation’s first responders. We sincerely regret this incident occurred and remain committed to protecting the information in our care.”

In response to an inquiry from IWCE’s Urgent Communications, the FirstNet Authority provided the following statement about AT&T latest assessment of call-information data download on FirstNet public-safety subscribers.

“The FirstNet Authority continues to work with AT&T on this incident and to address concerns from FirstNet users,” according to a statement provided by a FirstNet Authority spokesperson. “We take all aspects of network security seriously; it is a top priority for the FirstNet Authority.”

While the illegal download of call information was not announced until July 12, AT&T officials have known about the issue since April—something the carrier shared in a filing with the Securities and Exchange Commission (SEC).

“Based on its investigation, AT&T believes that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023,” AT&T’s SEC filing states.

AT&T did not disclose publicly the downloading of customers’ call information in May or June based on direction from the U.S. Department of Justice, according to the carrier’s SEC filing.

“On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted,” according to AT&T’s SEC filing.

AT&T’s SEC filing identified the types of call information downloaded.

“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information,” AT&T’s SEC filing states. “Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network.

“These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included.”

No subscriber names were included in the downloaded data, but AT&T’s filing acknowledges that “there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”

AT&T has indicated that it does not believe the compromised data is publicly available.

AT&T’s announcement of the compromised call-information data came after the carrier—contracted by the FirstNet Authority to build and maintain the nationwide public-safety broadband network—suffered a series of service issues earlier this year.

The most high-profile incident occurred on in the early-morning hours of Feb. 22, when AT&T suffered outages throughout the U.S. that impacted its user base, including subscribers to FirstNet. Restoring FirstNet services was prioritized, resulting in the outage lasting about two-and-a-half hours for affected FirstNet subscribers.

During a March open meeting, FirstNet Authority board member Renee Gordon said the FirstNet Authority would “continue to hold AT&T accountable for delivering the network public safety requires and relies on for their life-saving missions.”

FirstNet Authority Executive Director and CEO Joe Wassel announced the establishment of a task force charged with determining the cause of the Feb. 22 outage and identifying best practices to help ensure that a similar outage would not happen again in the future. No information from the task force has been released to date, but Wassel last month said he believes the lessons learned from the Feb. 22 outage sill result in the NPSBN being better in the future,

“We know that no path to success is a straight line,” Wassel said during his keynote address at the 5×5 summit conducted almost a month ago in Chicago. “We have outages. We had an outage this year, and we’re going to be stronger after.”