AT&T on Saturday said that data on roughly 73 million current and former customers was exposed on the dark web, including social security numbers and other personal information.
According to the telecommunications giant, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.
Dallas, Texas-based AT&T used the Easter holiday weekend to quietly share the update on data that surfaced on the dark web roughly two weeks ago.
“AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web approximately two weeks ago,” the company said in a statement. “While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors. With respect to the balance of the data set, which includes personal information such as social security numbers, the source of the data is still being assessed.”
The company said a “robust investigation” investigation is underway, supported by internal and external cybersecurity teams.
“Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set,” the statement said. “The company is communicating proactively with those impacted and will be offering credit monitoring at our expense where applicable.”
The company says the incident has not had a material impact on its operations.
In March 2023, AT&T notified roughly 9 million wireless customers that their customer proprietary network information (CPNI) was compromised in a data breach at a third-party vendor.
Late last month the telco experienced an outage that knocked out cellphone service for many of its customers across the US, but the company said the outage was not caused by a cyberattack.