AT&T's Data Carelessness Risks National Security and Exposes Customers to Fraud

AT&T customers have been victims of two massive failures by AT&T to secure their personal data. See the July 2012 notice here (affecting more than 100 million customers) and the March 2024 notice here (affecting 7.6 million customers). In both instances, private information about its customers was exposed to bad actors. These breaches, along with others by AT&T over the years, indicate a callous disregard for customer privacy.

In the largest breach announced by AT&T on July 12, 2024, the calls and text records of more than 100 million customers for the period from May 2022 to October 2022 were accessed. This latest breach creates a grave risk to national security, allowing foreign entities to map networks of possible agents or sources, thus putting lives at risk.

AT&T claims to be working with law enforcement regarding this major breach and has stated that at least one person has been arrested. However, despite admitting that the release occurred, AT&T has been non-transparent about when the breach happened. The data taken is several years old, so it is logical to infer that the breach may have occurred near October 2022. AT&T may have delayed notifying its customers for more than a year, and when it did notify them, it was not forthcoming.

In the interim, customers may have already suffered multiple harms as a result of these data breaches, not to mention the potential damage to national security. AT&T customers have complained to this firm over the past year about dramatic increases in junk marketing calls.

More disturbing is the uptick in scams targeting AT&T customers, where scammers use customers’ own information to buy new cell phones for which AT&T then bills the customers. One case investigated by this firm involved a purchase by scammers in another state, thousands of miles from where the customers received their AT&T phone bills. AT&T failed to take reasonable steps to question the purchase despite the red flag associated with the geographic discrepancy. AT&T could have easily texted the customer to inquire about the purchase. Despite knowing that its customers’ data had been compromised multiple times, AT&T failed to take reasonable steps before the scam purchase. Once the scammers acquired the phones, AT&T aggressively billed its customers and refused to reasonably remove the charges despite clear evidence that the charges were fraudulent.

All of the foregoing is coupled with a troubling history of AT&T knowingly facilitating fraudulent schemes to pad its bottom line. For example, despite knowing that scammers were taking advantage of a program for hearing-impaired persons, AT&T refused to comply with regulations requiring call verification because it feared losing revenue. See the press release from DOJ here. In that case, AT&T knowingly padded its bottom line with transactions it knew to be fraudulent. My first successful class action in 1997 was against AT&T for a breach of contract related to cell phone service. It seems to this attorney that AT&T’s corporate culture values profits over following the law, keeping its word, or protecting its customers’ private information.