Telco Data Breach Timeline
On October 5th, the Wall Street Journal broke the news of a major breach by Chinese hackers of at least three major US telecommunications providers. The breach appears to be an espionage operation aimed at discovering the Chinese targets of American surveillance; however, the full scope of the compromise and its impact is not yet known. Officials reported that the breach compromised the networks of AT&T, Verizon, and Lumen, and many more, as the hackers have been in their systems for months. There was some indication that the lawful intercept system was targeted, but the hackers' access was even broader, including more general internet traffic as well. There were indications that China’s foreign spy service, the Ministry of State Security, specifically an arm known as Salt Typhoon, is involved in the breach.
On March 30th, 2024, AT&T disclosed a data breach affecting 7.6 million current and roughly 65.4 million former customers, with sensitive data leaked on the Dark Web. The first indication that a security incident may have occurred was in August 2021, when a hacker posted a data sample and offered the sale of a massive data set they claimed to have stolen from AT&T. At the time, AT&T denied that a breach of their systems had occurred, stating that the data likely originated from another source. In early March 2024, a data seller allegedly published the full data set, revealing information from 73 million AT&T account holders. Following confirmation of the breach, AT&T notified affected individuals that their personal and account information—including names, email addresses, postal addresses, phone numbers, Social Security numbers, birth dates, and account details—might have been compromised. This incident left customers vulnerable to identity theft and financial scams, and led to demands for improvements in AT&T's data security protocols. See this article to learn more about steps you can take to protect your privacy and avoid falling victim to future data attacks.
On February 7th, 2024, a report was filed to the Maine Attorney General on behalf of Verizon announcing that their company suffered an internal data breach. While the breach occurred on September 21st, 2023, the company didn't discover what had taken place until nearly three months later on December 12th, 2023. An investigation uncovered that a Verizon employee had gained unauthorized access to a file containing sensitive information of over 63,000 employees, including names, Social Security numbers, physical addresses, and more. Affected employees were offered access to identity protection and credit monitoring services in order to prepare for possible identity theft, fraud, and stolen funds.
Toward the end of 2023, Mint Mobile notified an unknown number of customers via email that they had suffered a security breach. The email stated that “an unauthorized actor obtained some limited types of customer information." While the company stated that the underlying issue had been resolved, and that information like Social Security numbers and credit card information was not at risk, the data obtained did include things like customer names, phone numbers, email addresses, and SIM and IMEI numbers, placing those customers at risk for SIM swapping and other social engineering scams. Mint Mobile has since been acquired by T-Mobile.
On September 20th, 2023, T-Mobile customers took to social media to report that upon logging into their T-Mobile apps, their accounts displayed the personal information of another customer instead of their own. Consequently, sensitive data, including addresses and credit card information, was exposed. T-Mobile responded to the breach, reporting that it was caused by an overnight system error and affected fewer than 100 customers. However, the full extent of the exposure remains unknown, as the number of parties has not been disclosed. This incident marked the third customer-related security breach for T-Mobile, and the fourth involving a breach of T-Mobile information, in 2023 alone—an unprecedented record of privacy and security violations for a telecom company in a single year.
Reports emerged on September 21st, 2023, revealing that hackers breached T-Mobile's internal servers in March 2023, extracting a massive amount of highly sensitive employee data. The compromised information, totaling 89 GB, encompassed details of 17,835 past and present employees, such as names, partial Social Security numbers, and email addresses. This data was subsequently posted on a well-known hacker forum. It is speculated that the breach originated from Connectivity Source, an independently owned T-Mobile dealer, in April 2023.
In April 2023, T-Mobile sent a letter to 836 customers disclosing that a data breach had occurred earlier in the year. Information obtained for each customer varied but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, Social Security number, government ID, date of birth, and more. While this breach affected a much smaller number of customers than the incident reported in January, which affected over 37 million, it still represented a massive failure of T-Mobile's security measures. For over a month, cyber attackers were able to maintain ongoing data theft operations while remaining undetected. During that time, affected customers were at enhanced risk of experiencing fraud or phishing scams without any warning to be on guard.
In January 2023, the data of 7.5 million Verizon wireless customers was found on the Dark Web. The breach, discovered by the cybersecurity team SafetyDetectives, was linked to Verizon by clues discovered hidden in the filenames, but conclusive origins have never been disclosed. In response, Verizon stated that the issue stemmed from an outside vendor and had been resolved. While the exposed information did not include any personally identifiable data, the researchers believed that it could be combined with information from other breaches, giving attackers a higher chance of success in perpetrating fraud or identity theft.
In January 2023, T-Mobile discovered that a "bad actor" had stolen information from over 37 million customer accounts via unauthorized use of a single API. Personally Identifiable Information (PII) including names, addresses, phone numbers, and dates of birth was exposed during the breach. This incident highlights the danger of uncontrolled and unmonitored API use that often occurs at massive companies like T-Mobile. Moreover, while T-Mobile reported that they were able to contain the attack in less than one day, a third of their total subscribers had their personal information exposed during that period.
Verizon experienced a data breach in October 2022 in which the last four digits of some customers' payment card numbers were exposed. While exposure of the last four digits alone would not enable unauthorized purchases, it did provide the attackers with personal details such as names, phone numbers, and addresses that could facilitate access to additional account information. Further, there's a possibility that the attackers were able to conduct SIM swaps on some accounts. A SIM swap could allow interception of messages or calls intended for the account holder via another device, potentially compromising other accounts. Verizon took steps to safeguard the impacted accounts, such as resetting personal identification numbers. The company also provided recommendations to customers on protecting non-Verizon accounts that may be at risk of unauthorized access through SIM swapping activity resulting from this incident.
In August 2022, a cybersecurity firm reported intercepting a sizable dataset containing Personally Identifiable Information (PII) on approximately 23 million individuals in the United States. The PII included names, physical addresses, email addresses, phone numbers, Social Security numbers, and dates of birth. According to the firm's analysis, the data corresponds most closely to past and present customers of AT&T. While AT&T did not outright confirm the data originated from their systems, they noted the records do not appear to match any known breaches of their own networks. It remains possible the incident is related to a prior data compromise at another unrelated organization.
In May 2022, an unauthorized individual allegedly obtained internal Verizon employee contact records through pretexting tactics. The individual reportedly used deception to access internal systems containing names, ID numbers, phone contacts, and emails. To monetize the stolen database, the alleged perpetrator requested $250,000 to safeguard the information and not publicly share it. Verizon stated they declined to engage, noting the information was already public. However, the database could allow bad actors to pose as employees or flood Verizon's email system with spam or malicious emails.
In August 2021, T-Mobile suffered one of the most extensive and costly data breaches on record. Hackers infiltrated T-Mobile systems and stole highly sensitive customer information, including names, driver's license numbers, Social Security numbers, and device identification numbers. In June 2022, T-Mobile reached a settlement agreement to resolve a class action lawsuit filed by customers affected by the breach. As part of the settlement terms, T-Mobile agreed to pay $350 million to customers who experienced harm as a result of the incident. Additionally, T-Mobile committed $150 million toward enhancing its cybersecurity protections and systems. The wireless carrier acknowledged the need to further strengthen safeguards for customers' private data.