AT&T's March Data Breach Dates to 2019 or Earlier, Alleges Class Action

However, details of the leaked data first appeared online in August 2021, when a “known threat, ShinyHunters,” offered the records for sale on a hacking forum with a $1 million price tag, a Saturday New York Times article said. That same data “appears to have been made available for free by another threat actor, MajorNelson,” last month, it said.

On its website, in a “Keeping your account secure” section updated Sunday, AT&T said: “It has come to our attention that a number of AT&T passcodes have been compromised. We are reaching out to all 7.6M impacted customers and have reset their passcodes. In addition, we will be communicating with current and former account holders with compromised sensitive personal information.”

AT&T believes the compromised data dates to 2019 or earlier and doesn't contain personal financial information or call history, said the update. It encouraged customers to “to remain vigilant by monitoring account activity and credit reports.”AT&T informed class members by email and mail that their PII had been compromised, and it posted a notice to its website Saturday. Notice letters said full names, email addresses, mailing addresses, phone numbers, Social Security numbers, dates of birth, AT&T account numbers and passcodes were accessed and exfiltrated in the data breach.

As a telecom provider, AT&T was targeted for a “foreseeable and preventable” cyberattack due to the “highly valuable PII” on its computer systems, said the complaint. The defendant “maintained, used, and shared the PII in a reckless manner,” doing so in a way that made it “vulnerable to cyberattacks,” it said. The cyberattack's mechanism “and potential for improper disclosure” of customers' PII was a known risk to AT&T, which was “on notice that failing to take steps necessary to secure the PII from those risks left that property in a dangerous condition,” it said.

Fraudulent activity resulting from the data breach “may not come to light for yea7rs,” said the complaint. In addition, it cited a Government Accountability Office study saying after stolen data is sold or posted on the internet, “fraudulent use of that information may continue for years.” Studies that try to measure the harm resulting from a breach “cannot necessarily rule out all future harm,” it said.

Plaintiff Alex Petroski, a Summit County, Ohio, resident, and class members gave AT&T their names, birthdates, phone and Social Security numbers and other sensitive information, the complaint said. In collecting PII from customers, it promised to provide confidentiality and adequate security for the data it collected through its privacy policy and other disclosures, it said.

Petroski believes that his PII was stolen in the data breach because AT&T didn’t use “reasonable security procedures,” such as encrypting the information or deleting it when it is no longer needed,” the complaint said. It cited an FBI ransomware prevention and response document for chief information and security officers about preventing and detecting cyberattacks.

Petroski and class members face “years of constant surveillance of their financial and personal records, monitoring, and loss of rights,” the complaint said. Data breach victims will continue to incur such damages “in addition to any fraudulent use of their PII,” it added.

With the stolen data, identity theft crimes – opening bank accounts in victims’ names, making purchases or laundering money, filing false tax returns, taking out loans or lines of credit or filing false unemployment claims -- “may go undetected until debt collection calls commence months, or even years, later,” the complaint said. Victims may not know that their PII was used to seek unemployment benefits, for instance, “until law enforcement notifies the individual’s employer of the suspected fraud,” it said. Fraudulent tax returns are typically discovered “only when an individual’s authentic tax return is rejected,” it said.

The complaint cited the AT&T privacy policy on its website saying “we work hard to safeguard your information using technology controls and organizational controls,” and “we protect our computer storage and network equipment.” Employees must authenticate themselves to access sensitive data, and the company limits access to PII “to the people who need access for their jobs,” it said.

The data breach has caused Petroski to suffer “fear, anxiety, and stress,” compounded by AT&T’s failure to disclose key details of the data breach, the complaint said. Petroski expects he will spend "considerable time and money on an ongoing basis to try to mitigate and address harms” the breach caused.

Petroski alleges negligence and negligence per se, breach of implied contract and unjust enrichment. He seeks a judgment enjoining AT&T from engaging in the wrongful conduct described and orders requiring it to protect and encrypt customers’ PII, to delete and purge customers’ PII and to provide out-of-pocket expenses associated with prevention, detection and recovery from identity theft, tax fraud and unauthorized use of their PII. Moreover, he requests an order requiring that AT&T implement a comprehensive information security program. He seeks awards of actual, nominal statutory, consequential and punitive damages; attorneys’ fees and costs; and prejudgment interest.

Petroski’s counsel, Kendall Law, filed three more class actions Sunday and Monday vs. AT&T on behalf of plaintiff Andrew March (docket 3:24-cv-00758) of Rocky River, Ohio; plaintiff Mike Montoya (docket 3:24-cv-00760); an Arizona resident; and plaintiffs Jeffrey Cumo, of Kalamazoo, Michigan, and Tiara Alston, Dekalb, Georgia (docket 3:24-cv-00772).

AT&T didn't begin informing victims of a data breach that occurred in 2019 until Saturday, said another negligence class action Monday (docket 3:24-cv-00769 ). The provider waited five years to disclose the breach to customers, and only did so after the personally identifiable information (PII) belonging to class members was posted by cybercriminals on the dark web, said the complaint.

Plaintiff Matthew Barkley, of Lisbon, New York, seeks to hold AT&T liable for the harms it caused and will continue to cause him and 7.6 million current and 65.4 million former AT&T customers, said the complaint. AT&T determined that “AT&T data-specific fields were contained in a data set released on the dark web,” said the complaint. The source of the breach “is still being assessed,” it said.

AT&T “willfully, recklessly and negligently” failed to take and implement adequate and reasonable measures to ensure that the PII of its current and former customers was safeguarded, and it failed to follow required and appropriate protocols and procedures regarding data encryption, said the complaint. The full extent of the types of PII, scope of the breach and root cause of the incident are “within the exclusive control” of AT&T, its counsel and forensic security vendors, it said.

Barkley asserts claims of negligence, breach of implied contract, unjust enrichment and breaches of fiduciary duty and the implied covenant of good faith and fair dealing. He seeks a judgment enjoining AT&T from engaging in the wrongful conduct described and orders requiring it to protect and encrypt customers’ PII and to delete and purge customers’ PII. The plaintiff requests awards of actual, consequential and nominal damages; prejudgment interest; and attorneys’ fees and costs.

In a Sunday complaint, plaintiff Mario Jaramillo, of Los Angeles, alleges a data seller published about 73 million AT&T data breach records online in early March on a cybercrime forum, including his PII, said the class action (docket 3:24-cv-00761). “AT&T has not been forthcoming about the nature and severity of cybersecurity events impacting its customers,” said the complaint, noting that three years ago a hacker signaled he had stolen “millions” of AT&T customers’ data. AT&T didn’t adequately warn its customers that they were in danger “until years later,” after “cybercriminals had free reign to impersonate, surveil, and defraud their unsuspecting victims," it said.

Plaintiff Lacrista Bagley, of Oklahoma, said in her Monday class action (docket 3:24-cv-00770), that AT&T informed her in a notice that her stolen PII was leaked on the dark web in March, but it’s “unclear why AT&T waited two or more weeks to notify victims that their PII was on the dark web.” AT&T’s s “failure to timely detect and report the Data Breach made the victims vulnerable to identity theft without any warnings to monitor their financial accounts or credit reports to prevent unauthorized use of their PII,” it said.

Plaintiff Nicholas Nelli, residing in Woodstock, Georgia, asserted he and class members provided their PII to AT&T with the “reasonable expectation and on the mutual understanding that it would comply with its obligations to keep such information confidential and secure from unauthorized access.” AT&T, under principles of equity and good conscience, “should not be permitted to retain the full value” of Nelli and class members’ payments and their PII because it “failed to adequately protect their PII,” it said. AT&T didn't comment Monday.