DALLAS — Dallas-based AT&T is facing a lawsuit after the company recently announced the data of “nearly all” of its customers was downloaded to a third-party platform in a security breach.
It was the company’s second data breach reported this year.
The lawsuit, filed Friday in the U.S. District Court for the Northern District of Texas by a 15-year AT&T cellular customer, alleges AT&T “has not been transparent about the nature and extent of data security lapses impacting its customers,” failed to adequately protect customers’ data from third parties, and earned “unjust enrichment” from customers after failing to protect their information.
“As a direct and proximate result of AT&T’s failure to exercise adequate and reasonable care and use commercially adequate and reasonable security measures, the [personally identifiable information] of Plaintiff and Class Members was accessed by ill-intentioned individuals who could and will use the information to commit identity or financial fraud,” the lawsuit reads. “Plaintiff and Class Members face the imminent, certainly impending, and substantially heightened risk of identity theft, fraud, and further misuse of their personal data.
The compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022 - October 31, 2022, as well as on Jan. 2023, the company said last week.
AT&T said at the time the data is not believed to be publicly available. AT&T said the data does not include the content of calls or texts or other personal information like Social Security numbers, dates of birth.
“We launched an investigation and engaged leading cybersecurity experts to understand the nature and scope of the criminal activity,” AT&T said earlier this month. “We have taken steps to close off the illegal access point. We are working with law enforcement in its efforts to arrest those involved in the incident. We understand that at least one person has been apprehended.”
“While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” AT&T added. “Our top priority, as always, is our customers. We will provide notice to current and former customers whose information was involved along with resources to help protect their information,” AT&T continued.
WFAA has reached out to AT&T for comment on the new lawsuit. We’ll update this story as more information becomes available.
AT&T said in a Securities and Exchange Commission filing that they believe the cause of the breach is “threat actors” who “unlawfully accessed an AT&T workspace on a third-party cloud platform” between April 14 and 25.
“AT&T has taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access. AT&T will provide notice to its current and former impacted customers,” the filing reads.