After 'Years of Denial,' AT&T 'Changed Its Tune' About 2021 Data Breach, Plaintiffs Say
Despite AT&T’s assertion in 2021 that a hacked database containing the personally identifiable information (PII) of 70 million AT&T customers “does not appear to have come from our systems,” three years later “the same customer data from 2021 is no longer just for sale,” but it also “has been fully exposed on the Dark Web,” alleged a class action Tuesday (docket 1:24-cv-01414) in U.S. District Court for Northern Georgia in Atlanta.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Plaintiffs and AT&T customers Ryan Unruh, a Kansas resident, and Christopher Isbell, of Florida, cited an Aug. 20, 2021, article in BleepingComputer, reporting that threat actor ShinyHunters began selling the stolen database on Aug. 19, 2021, at a starting price of $200,000, then in increments of $30,000; it was also willing to sell it immediately for $1 million.
The threat actor shared samples of the database that included customers' names, addresses, phone numbers, Social Security numbers, and dates of birth; a security researcher reported that two of four samples were confirmed to have accounts at att.com. To “fully wash its hands of the disaster,” AT&T told BleepingComputer the data wasn’t from their systems and that it hadn’t recently been breached, but the company “chose not to speculate” about its vendors when asked whether the data may have come from a third-party partner, the article said.
Other experts have also connected the August 2021 auctioned database to the data breach, the complaint said. Cybersecurity researcher Troy Hunt concluded the data “closely resembles a similar data breach that surfaced in 2021 but which AT&T never acknowledged,” said the complaint, citing a Saturday AP report.
Hunt contacted potential victims and asked them to confirm whether their data was accurate and if they were an AT&T customer, said the article. One noted she uses “subaddresses” to make “unique forms” for her online logins, and her DirecTV form of her email, which appeared on the stolen database, “has never been used for any other purpose,” it said. If the data didn’t come from AT&T directly, “it came from someone with whom they shared customer data,” said the complaint.
After “years of denial, AT&T has changed its tune,” the complaint said. The company admitted Saturday that about 73 million former and current AT&T customers’ PII was released on the dark web, “a concerning turn of events,” the complaint said. “Equally troubling,” AT&T "still appears clueless as to the source of the breach,” the customer said.
“One would hope that,” three years after a data breach, “a telecom giant like AT&T would have conducted a ‘robust investigation’ into the data leak to determine who was responsible, where the data originated from, which customers were impacted,” and how it occurred, said the complaint. If it had, “the 73 million customers could have attempted to adequately protect themselves,” it said: “Instead, AT&T remained willfully blind.”
Had AT&T implemented industry-standard security measures, invested adequately in data security, and “promptly investigated cybersecurity issues,” the unauthorized parties likely wouldn’t have been able to access AT&T’s or its third-party vendors’ systems, and the data breach “would have been prevented or much smaller in scope,” the complaint said. AT&T still possesses the plaintiffs’ and class members PII, which “remains at risk of further breaches,” it said.
The plaintiffs claim negligence, negligence per se, breach of contract and implied contract, and unjust enrichment. They seek injunctive relief barring AT&T from continuing to engage in unlawful acts and awards of compensatory, consequential, general and nominal damages; statutory damages trebled and/or punitive or exemplary damages; disgorgement and restitution; attorneys’ costs and fees and pre- and post-judgment interest.