After having nearly all of its customers’ records breached, AT&T is facing a class action lawsuit alleging that the cellular company failed to implement adequate cybersecurity procedures and protocols. The class action is taking place in Texas, Montana and New Jersey federal courts.
The lawsuit arises out of an incident that took place in May 2022 in which hackers downloaded phone call and text message records belonging to “nearly all” the AT&T’s wireless customers. AT&T admitted to the hack and said that the breached data included a record of every AT&T customers’ phone and text logs however, it did not include the content of calls and text messages suchg as social security numbers, dates of birth or customer names.
The lawsuit claims that AT&T was negligent and alleges that the company was not sufficiently transparent about the “nature and extent of data security lapses impacting its customers,” including how the attacks put them in danger of identity fraud. “Plaintiff and other data breach victims provided their [personally identifiable information] to AT&T with the reasonable expectations and mutual understanding that AT&T would comply with its obligations to keep such information confidential and secure from unauthorized access,” the complaint said.
Dina Winger, the plaintiff in the Texas lawsuit emphasized that AT&T should have known the risks within the cellular industry and should have implemented protocols to mitigate such risks. “Because the data breach was an intentional hack by cybercriminals seeking information of value that they could exploit, victims are at imminent risk of severe identity theft and exploitation,” Winger said, adding that AT&T knew or should have known that its systems were targets for cybersecurity attacks.
In the Montana federal court, AT&T was accused of “failing to properly secure and safeguard their personal information, including phone call and text message records for “nearly all” of the company’s 110 million cellular customers.” That lawsuit seeks to collect money from AT&T as compensation in addition to an injunction that requires the company to modify its data security processes and granting the victims credit monitoring and identity theft insurance, as well as attorney fees and litigation costs.
The New Jersey case mainly repeats the Montana and Texas accusations and simply emphasizes that AT&T disregarded its customers’ rights by failing to implement adequate measures to protect their sensitive information. All the plaintiffs aim to represent nationwide classes of data breach victims, potentially getting the class to millions of individuals.
AT&T Explains How the Breach Occurred
According to AT&T, its investigation revealed that a hacker accessed an AT&T workspace on a third-party cloud platform. The hacker then extracted files containing records of customer call and text interactions from approximately May 1 to October 31, 2022. The cellular service company said that it immediately activated its incident response process as well as hired external cybersecurity to help with the issue.
Since then, AT&T has assured its customers that none of their sensitive information has been leaked and that it has now secured its systems in order to discontinue the breach. 
PHOTO BY: BROWNINGS, USED UNDER CC BY-SA 3.0
Jacob Horowitz is a contributing editor at Compliance Chief 360°