In a recent development, AT&T, the largest telecommunications company in the United States, has officially acknowledged a data breach that compromised the personal information of more than 51 million customers. The company has started notifying state authorities and regulators about the incident after confirming the authenticity of the leaked data.
According to a legally mandated filing with Maine's attorney general's office, AT&T revealed that it has started notifying affected individuals (in written format), including approximately 90,000 residents of Maine, informing them about the data breach.
The compromised information includes customers' full names, email addresses, mailing addresses, dates of birth, phone numbers, and Social Security numbers.
The leaked customer data dates back to mid-2019 and earlier, with records about more than 7.9 million current AT&T customers. The full cache of 73 million leaked customer records, which included some duplicates, was dumped online last month, allowing customers to verify the genuineness of their data.
TechCrunch reported a subset of the leaked data had first surfaced online three years ago, but AT&T did not take any significant action at that time. It was only after the complete dataset was published that the company acknowledged the breach and began taking steps to mitigate the potential risks to its customers.
One of the most concerning aspects of the leak is the presence of encrypted account passcodes, which were easily decipherable, according to a security researcher. Upon being alerted by TechCrunch on March 26, AT&T promptly reset the affected passcodes to protect its customers.
As of now, AT&T has not identified the source of the leak, leaving many questions unanswered. The company's handling of the situation, particularly the delay in addressing the initial leak three years ago, has raised concerns among cybersecurity experts and consumer advocates.