AT&T 'Failed to Protect' Users' Information in January Data Breach: Complaint

AT&T “completely and utterly failed” to protect sensitive consumer data when it suffered a “massive data breach” in January, compromising the personal information of about 9 million U.S. customers, alleged a class action (docket 5:23-cv-00038) in U.S. District Court for Western North Carolina in Statesville.

Instead of warning data breach victims they're at “significant risk” of identity theft and fraud, AT&T’s notice says the carrier “prevented the most sensitive types of customer information from being accessed,” and customer accounts and finances were “not put directly at risk by this event,” the complaint said.

Plaintiff Timothy Trimble, a North Carolina resident, learned of the January data breach last week, when AT&T said a “bad actor” compromised the personal identifiable information (PII) of about 9 million customer accounts in January. “Although AT&T has released very little information” about the breach, it said its customers’ PII was compromised through customer proprietary network information (CPNI), the complaint said.

CPNI is information U.S. telecom services acquire from their subscribers, such as the services they use and the type and amount of usage, the complaint said. When AT&T detected the data breach, the company “promptly notified law enforcement,” notifying authorities that information including name, billing address, email, phone number, date of birth, account number, number of lines on the account and service plan features were included in the breach, the complaint said, citing a news report.

Though AT&T has begun notifying customers whose data was compromised, in accordance with state and federal requirements, notices received by victims of the breach “are woefully deficient,” said the complaint. A March 6 notice published on an AT&T Community forum from AT&T tells a subscriber wondering if an email warning him of a CPNI issue with his account was a phishing scam that “an unauthorized person breached a vendor’s system and gained access to your [CPNI].” AT&T reassured the customer that “no sensitive personal or financial information such as Social Security number or credit card information was accessed.”

AT&T’s assertion that exposed data didn’t include Social Security numbers, credit card information, account passwords or other sensitive information was “misleading,” the complaint said, saying the PII compromised in the breach “significantly increases the risk of identity theft and fraud for victims.” The complaint cited a comment from Chester Wisniewski, field chief technical officer of applied research at security firm Sophos, saying the information stolen in the breach “is ideal for SIM swapping attacks and other forms of identity theft.”

The company notified federal law enforcement as required by the FCC, said the notice, adding the report didn’t contain specific information about his account, “only that the unauthorized access occurred.” The notice encouraged the customer to “consider adding our ‘extra security’ password protection to the account at no cost,” and added an apology.

The complaint cited Justin Fier, senior vice president for security company Darktrace, who said such a “massive trove of consumer profiles” could be useful to a range of bad actors, from nation-state hackers to criminal syndicates, “with dozens of ways” the stolen information could be “weaponized.”

AT&T’s efforts to notify the plaintiff and class members “fell short of providing key information” about the breach, having just brief messages “with little substantive information that failed to warn victims to take action to protect themselves from identity theft and fraud,” the complaint said. The company failed to provide breach victims with the “details necessary to protect themselves.”

North Carolina is one of at least 24 states with laws requiring businesses that own, license or maintain PII to implement and maintain “reasonable security procedures and practices and to protect PII from unauthorized access,” the complaint said. AT&T also failed to comply with FTC guidance on protecting PII, it said.

Alleged counts include negligence, breach of confidence, invasion of privacy, breaches of express and implied contract, unjust enrichment and violations of the Declaratory Judgment Act and North Carolina’s Identity Theft Protection Act. Plaintiff seeks compensatory, general and nominal damages, disgorgement and restitution of all earnings, profits and benefits as a result of its unlawful acts and omissions; treble statutory damages; and punitive or exemplary damages, the complaint said.

The plaintiff also seeks permanent injunctive relief; and requirements that AT&T protect all data collected through the course of its business in accordance with state and federal laws; protect all data collected through its course of business in accordance with regulations, standards and laws; delete, destroy and purge customer data; implement and maintain a comprehensive information security program designed to protect the confidentiality and integrity of customers’ PII; engage third-party security auditors/penetration testers and internal security personnel to conduct periodic testing and simulated testing; and other training, monitoring and testing procedures. AT&T didn’t comment Monday.