Another day, another data breach. But this one is nasty.
AT&T said Friday that hackers who have hit other companies also swiped at least six months of 2022 phone records for — that’s roughly 110 million customer accounts. AT&T said hackers don’t have the content of people’s calls or texts.
For what AT&T says is a portion of those records, the stolen data also included some people’s estimated locations.
The swiped location data is relatively unusual in a cyberattack, and it’s the part that freaked out Albert Fox Cahn, founder of the Surveillance Technology Oversight Project.
Your phone company logs the nearest cellular tower every time your device connects to its mobile network. That data is essentially a rough timeline and map of everywhere you go with your smartphone, including your home, work, house of worship, medical appointments and more.
Advertisem*nt
Skip to end of carousel
Shira Ovide
Tech Friend writer Shira Ovide gives you advice and context to make technology work for you. Sign up for the free Tech Friend newsletter.
End of carousel
“It’s such an invasive window into our lives,” Cahn said. The stolen location records of AT&T customers were limited to data from older 3G mobile connections and during slices of the day, an AT&T spokeswoman said. That’s probably a relatively limited amount of data on customers’ estimated whereabouts.
You can’t know for sure how this stolen AT&T information might be used against you. I’ll talk you through how to know if your data was swiped, what could go wrong and how to protect yourself.
Also, take a moment to feel furious. This data theft shows the risks from the United States’ largely unregulated personal data harvesting. You, and generally not the companies, bear the burden when companies fail to secure your information from thieves.
How do you know whether your phone records were stolen?
AT&T said it will notify affected customers by text, email or physical mail.
Advertisem*nt
But if you had AT&T mobile service between the beginning of May and the end of October in 2022 or on Jan. 2, 2023, you should assume your phone records were stolen.
What information is in those hacked phone records?
The swiped records include information like every number you texted and called and how many times you called your spouse in a given month and the cumulative time those calls lasted.
AT&T said monthly wireless and home telephone customers can go to this website to see the phone numbers of your calls and texts that were in the stolen records.
AT&T also said that the names associated with accounts, Social Security numbers and credit card numbers weren’t stolen.
Another potential risk may be from the stolen logs of AT&T customers’ locations.
Even if the stolen data had relatively limited data about customers’ physical whereabouts when they connect to a mobile network, the location data from cellphones is so sensitive that the Supreme Court has said it generally deserves extra legal protections. Police must have a warrant to obtain the kind of location data that thieves just stole from AT&T.
What do you have to worry about?
AT&T’s statement said it doesn’t believe the stolen phone records have been leaked online. But Cahn said the thieves could at any time sell the phone records to other criminals or post them on the web for anyone to see.
Advertisem*nt
With information like the numbers you frequently call, a crook could impersonate your boss, brother or bank to get you to hand over money, said Frédéric Rivain, chief technology officer of the password management service Dashlane. (Although crooks already can and do impersonate your contacts’ phone numbers without stealing your phone records.)
In the wrong hands, stolen data from phone records could also be used to blackmail people having affairs, for criminals to find the homes of police officers and prosecutors, or for abusers to track down their former romantic partners.
If you think I’m exaggerating: Phone location and call records from two Georgia prosecutors pursuing a legal case against former president Donald Trump were presented as evidence of their romantic relationship. And in 2021, a priest was ousted from his job after a conservative Catholic group used location information from the gay dating app Grindr to trace his movements to a gay bar and a gay bathhouse and spa.
What can you do to protect yourself?
It’s an unfair burden, but personal vigilance is your best defense.
Advertisem*nt
If it seems like your sister is texting you in a panic to ask for bail money or if someone calls from what seems like your grandson’s phone number and says he’s holding your grandson for ransom, be suspicious. Hang up and try to reach your loved one directly or through a family member or friend.
Be extra vigilant about phone calls and texts that seem to come from your bank, too, in case crooks are impersonating the bank’s phone number.
AT&T said if you’re a target of fraud on your wireless number, you should report it to the company’s fraud team.
And if you typically have numerical codes texted to your phone to confirm your identity when you log into Facebook, a credit card account, your email or other websites, this might be a good moment for a security upgrade.
If you can manage it on your sensitive accounts, use an app like Authy or Google Authenticator that generates single-use codes instead of text messaged codes. Using an app instead of texts protects you from a serious but uncommon type of hack in which criminals intercept calls or texts to your phone number.
Advertisem*nt
Cahn said the location data saved by AT&T and other cellphone providers is not something you can protect on your own. That’s on companies to keep safe.
He says location data could be abused to endanger vulnerable people, including victims of stalkers or intimate partner violence.
“Where it could be potentially really scary is for people who put a premium on protecting their location privacy,” he said.
correction
A previous version of this article incorrectly said the AT&T breach affects customers with mobile service on Jan. 1, 2023, among other dates. It should have said Jan. 2, 2023. The article has been corrected.
