Communications Litigation Today was a Warren News publication.
'Weakest Link'

FCC Investigating Widespread AT&T Data Breach

The FCC said Friday it launched an investigation after AT&T revealed that a bad actor breached its network in April and accessed call and text records for nearly all its wireless customers from mid-2022 and for a single day in January 2023. The breach included calling data from customers of mobile virtual network operators using AT&T’s network. In an SEC filing, AT&T said that a suspect was apprehended.

AT&T blamed an illegal download on a third-party platform. The data accessed didn't include content of the calls and texts, Social Security numbers, dates of birth or other personal information, AT&T said in the filing. The breach included phone numbers of AT&T wireline customers and customers of other carriers as well as some cellsite records.

AT&T has taken additional cybersecurity measures in response to this incident, including closing off the point of unlawful access,” the company said. The company "will provide notice to its current and former impacted customers.”

AT&T noted in the SEC filing it learned of the breach April 19 but, working with DOJ, delayed disclosure. The company is “working with law enforcement in its efforts to arrest those involved in the incident,” it said. AT&T doesn’t believe the content is publicly available, the company said in a statement.

Industry lawyers said the FCC may be constrained in the steps it can take to address data breaches, especially in light of the U.S. Supreme Court’s recent decision in Loper Bright Enterprises v. Raimondo, which limited deference to how agencies interpret the law (see 2406280043). T-Mobile is challenging at the U.S. Court of Appeals for the D.C. Circuit the FCC's 3-2 April decision fining it for allegedly not safeguarding data on customers' real-time locations (see 2407090019).

Section 222 of the Telecom Act, on which the FCC has relied in part for power to conduct data breach investigations, “was intended to be a competition protection provision, not blanket authority for the FCC to get into the data breach realm,” a former FCC official said. After Loper, “the FCC may have a harder time defending some of its data breach enforcement actions.”

The “key” is that the hack “came through a third-party cloud provider,” said Recon Analytics’ Roger Entner, who noted the apparent arrest of a suspect: “It shows that people are the weakest link.”

The breach appears to involve AT&T calling data records, which is not as serious as a leak of credit card, Social Security number information and other data, John Strand of Strand Consult wrote in an email. “I would think that it will not be assessed as a gross violation of the rules” but AT&T will probably agree to pay a financial penalty, Strand said.

The leak has potential national security implications given the number of AT&T government customers, John Scott-Railton, a security researcher at Citizen Lab, said on X. “An unknown entity now has an NSA-level view into Americans' lives,” he said.

Former Cybersecurity and Infrastructure Security Agency Director Christopher Krebs said it was “noteworthy” that AT&T received a national security exception from DOJ under the SEC reporting requirements. That’s the “first such exception I'm aware of,” Krebs said.

Connecticut Attorney General William Tong (D) has “an active and ongoing investigation into data security matters involving AT&T,” which was opened before Friday’s incident, a Tong spokesperson said.

AT&T’s stock price was off just 0.27% Friday, to $18.81. This makes sense, New Street’s Blair Levin said in an email. “The path forward is a negotiation between the FCC and AT&T in which AT&T will agree to take steps to strengthen its defenses and pay a fine, but the fine is not likely to be material.”