Skip to main content
close search
site logo
Dive Brief

Latest AT&T data breach risks customer defections: Moody’s

The incident comes as AT&T is already facing a number of class action suits stemming from a separate breach that was disclosed in March.

Published July 16, 2024
Alexei Alexis's headshot
Reporter
A pedestrian walks by a sign posted in front of an AT&T store.
A pedestrian walks by a sign posted in front of an AT&T store on June 20, 2023 in San Francisco, California. Justin Sullivan via Getty Images

Dive Brief:

  • Credit rating agency Moody's said Monday that a massive cybersecurity breach disclosed by AT&T last week represents a “credit negative” for the company.
  • The breach compromised six months’ worth of call and text message records of "nearly every" AT&T cellular network customer in 2022, the telecommunications giant said in a July 12 securities filing
  • “This latest announced AT&T breach is a credit negative that raises serious questions about the company’s cyber risk governance and management practices,” Moody’s Ratings Vice President – Senior Analyst Neil Mack said in an emailed statement. “A key risk is of customer defections as a result of customers' perceiving their private data being more vulnerable at AT&T relative to wireless competitors.”

Dive Insight:

Cyberattacks can undermine the creditworthiness of companies, organizations and governments, hitting revenues and increasing costs, according to a June report from Moody's.

“Revenue flows can be disrupted by business outages, loss of customers, or theft of intellectual property,” said the report, which was shared with CFO Dive. “At the same time financial outlays can increase due to attack mitigation costs, regulatory fines and legal settlements, among other things.”

AT&T’s disclosure last week has already resulted in a proposed class action lawsuit.

Breach victims’ personally identifiable information would not have been compromised “but for AT&T’s wrongful and negligent breach of its duties owed to Plaintiff and Class Members,” according to the complaint, which was filed July 12 in the U.S. District Court for the Northern District of Texas by Dina Winger, an AT&T cellular customer, on behalf of “all others similarly situated.”

“It was foreseeable that AT&T’s failure to exercise reasonable care to safeguard the PII in its possession or control would lead to one or more types of injury to Plaintiff and Class Members,” the complaint said. “The Data Breach was also foreseeable given the known, high frequency of cyberattacks and data breaches in the telecommunications industry.”

Winger is represented by law firms Mathias Raphael PLLC and Foster Yarborough PLLC.

The cybersecurity incident comes as AT&T is already facing a number of class action lawsuits stemming from a separate massive consumer data breach that was disclosed by the company in March.

“There will be more court cases,” David Vladeck, a Georgetown University law professor and former director of the Federal Trade Commission’s Bureau of Consumer Protection during the Obama administration said in an email. “They will allege that AT&T should have had more robust defenses and, in any event, why did the company retain information of little use? In the end, it is hard to see if the company had viable defenses.”

AT&T didn’t immediately respond to a request for comment.

No ‘material impact’ from latest breach

In its securities filing last week, AT&T said it learned on April 19 that a threat actor claimed to have unlawfully accessed and copied AT&T call logs. The company said it determined after an internal investigation that hackers unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, obtained files containing AT&T records of customer call and text interactions that occurred between about May 1 and Oct. 31, 2022, as well as on Jan. 2, 2023.

“As of the date of this filing, this incident has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations,” the company said.

The compromised records include telephone numbers and aggregate call duration data but do not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information, according to the filing. “While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” it said.

AT&T’s prior breach caused the data of 7.6 million current AT&T account holders and about 65.4 million former customers to be released on the “dark web,” the company said in a March notice. The compromised data varied by customer and account, but may have included full names, email addresses, mailing addresses, phone numbers, Social Security numbers, dates of birth, and AT&T account numbers and passcodes, according to a set of frequently asked questions published by the company at the time.

The incident triggered a flurry of proposed class action lawsuits. In June, the Judicial Panel on Multidistrict Litigation issued an order that consolidated the cases in the U.S. District Court for the Northern District of Texas.

It is too soon to tell what, if any, legal impact that AT&T’s latest announcement will have on the lawsuits stemming from the March disclosure, according to Larry Golston, an attorney at Beasley Allen Law Firm, one of the firms that are representing plaintiffs in the matter.

“It is clear that this is another example of a substantial cybersecurity failure involving AT&T that calls into question the adequacy and effectiveness of AT&T’s cybersecurity protocols, policies and the company’s supervision of its personnel and contractors,” Golston said in an email.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Basware’s New GenAI Tool Transforms Insights for CFOs
From Basware
October 29, 2024
Pharmaceutical Executive Taggart McGurrin Featured on Life Sciences 360 Podcast
From Wild Fig Advertising
October 29, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Compliance
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell