New AT&T Data Breach Lawsuit Filed After Call, Text Records of ‘Nearly All’ Customers Stolen by Hackers

Yet another AT&T data breach lawsuit has been filed, this time over a massive April 2024 cybersecurity incident during which call and text records for “nearly all” AT&T customers nationwide were reportedly downloaded illegally from a third-party cloud platform allegedly unequipped with multi-factor authentication.

The 76-page AT&T data breach lawsuit states that the data stolen in the recent cyberattack, announced by AT&T on July 12, contains phone numbers for roughly 110 million cellular and landline customers, and records of calls and text messages from a six-month period between May 1, 2022 and October 31, 2022. Some of the stolen data also includes a subset of location-related AT&T customer records from January 2, 2023, the filing adds.

This latest data breach is the second major cybersecurity incident disclosed by AT&T, the nation’s second-largest wireless carrier, this year, with the prior 2024 data breach impacting more than 70 million customers whose stolen data was eventually published on a cybercrime forum, the case notes.

AT&T specified in its announcement that the stolen data does not contain the content or time stamps of consumers’ text messages or phone calls, the complaint states, but does include the phone numbers that a given AT&T phone number interacted with during the six-month window in 2022 and the call durations and total number of a customer’s calls and texts for specific days and months, known as metadata.

“Some of the stolen records include cell site identification numbers associated with phone calls and text messages, information that can be used to determine the approximate location of where a call was made or text message sent,” the proposed class action relays.

CNN has highlighted that with the compromised AT&T customer data, cybercriminals “could now identify relationships among phone numbers,” which can be useful for hackers attempting to make scams more believable, the filing says. Tech publication Wired wrote that this latest AT&T data breach poses a “sweeping danger” to consumers, as hackers armed with the “gold mine” of stolen information could construct more sophisticated phishing attacks to target certain individuals or communities, the suit notes.

The cloud platform reportedly accessed in the latest AT&T data breach is hosted by co-defendant Snowflake, which in June of this year announced it suffered a cybersecurity incident affecting 165 of its business customers, a stable of major companies such as Ticketmaster, Advance Auto, Neiman Marcus and more, the data breach lawsuit shares.

The suit, citing the results of an investigation into the “threat campaign” by Google-owned cybersecurity firm Mandiant, says that if AT&T and/or Snowflake had enabled multi-factor authentication, “this Data Breach would likely have been prevented.”

“AT&T failed to implement [multi-factor authentication] on its Snowflake account and Snowflake failed to require customers like AT&T to implement [multi-factor authentication] to protect their data, among other things,” the lawsuit alleges.

In its announcement, AT&T said it has “taken steps to close off the illegal access point” from where the data breach reportedly stemmed and does not believe the stolen information is publicly available. “[A]t least one person has been apprehended,” the carrier added.

Multi-factor authentication could have prevented the AT&T data breach, suit claims

Co-defendant Snowflake provides “digital warehouses” for thousands of clients worldwide, and through its services has access to and stores massive datasets of personal information from its corporate clients’ customers and employees, the case explains. In the wake of the recent AT&T data breach, Snowflake reportedly retained Google-owned cybersecurity incident response firm Mandiant to investigate the attack.

Per the suit, Mandiant attributed the breach to a yet-uncategorized cybercriminal group tagged as UNC5537, which the firm said is “financially motivated,” apparently evidenced by the posting for sale of the stolen information on cybercrime forums.

Mandiant explained that since April 2024 ‘UNC5537 [] [was] systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.’”

Mandiant’s inquiry revealed the so-called “threat campaign” was successful because the impacted Snowflake accounts were not configured with multi-factor authentication, meaning successful access required only a valid username and password, the lawsuit states.

The filing emphasizes that multi-factor authentication (MFA) is the industry standard, though Snowflake has allegedly blamed the data theft on customers such as AT&T.

“However, Snowflake did not enforce or require its corporate customers to use MFA,” the suit points out. “Here, Defendants’ joint failure to implement the most basic cybersecurity feature (enabling/enforcing MFA) was the cause of this Data Breach.”

AT&T says 2024 data breaches are unrelated

The case, citing an AT&T spokesperson, shares that the latest cyberattack involved data exposed on AI data cloud provider Snowflake. AT&T has confirmed that the recent Snowflake breach is “unrelated to the leak involving the data of 73 million current and former subscribers” from earlier in the year, the filing says. New AT&T data breach also impacts Boost Mobile, Cricket, H2O, Straight Talk Wireless Subscribers, lawsuit says. [Update: A Cricket data breach lawsuit was filed on July 23, 2024.]

According to the complaint, the stolen AT&T data also includes call records of customers with phone services from other cell carries that rely on AT&T’s network, called mobile virtual network operators (MVNOs).

The MVNOs likely impacted by the AT&T cyberattack include the providers Boost Mobile, Cricket Wireless, H2O and Straight Talk Wireless, the suit states.

Who’s covered by the AT&T data breach lawsuit?

The new AT&T data breach class action looks to cover all United States residents whose personal information was compromised as a result of the data breach announced by AT&T in July 2024.

Is there an AT&T data breach lawsuit sign up page?

When a new class action lawsuit is filed, there’s typically nothing you need to do join, sign up for, or add your name to the case to participate. It’s typically only in the event of a class action settlement that the consumers covered by the lawsuit, called class members, would need to act. This usually involves filling out and filing a claim form online or by mail after receiving an official class action settlement notice.

For now, AT&T subscribers can sit tight and stay informed. ClassAction.org will update this page as the litigation develops, so be sure to check back often. 

Get class action lawsuit news and settlements sent to your inbox – sign up for ClassAction.org’s free weekly newsletter.