(Photo by MANDEL NGAN/AFP via Getty Images)
An AT&T customer has launched a class-action lawsuit against the carrier for allegedly ignoring a data breach involving 73 million users.
Injury law firm Morgan & Morgan announced the lawsuit today, two days after AT&T reset passcodes for millions of users after the stolen data was found circulating on the internet.
“We allege AT&T knew about the vulnerability that allegedly led to this breach, but allowed it to occur by failing to act,” the law firm said in a statement.
The suit notes that cyber criminals may have been circulating stolen AT&T customer data as far back as 2021. That’s when a hacking group called Shinyhunters was spotted auctioning off an archive containing data on over 70 million AT&T users, including full names, email addresses, physical addresses, and at least in some cases, Social Security numbers and dates of birth.
While some of the user data appeared to be legit, at the time AT&T denied that the information had come from the carrier, or that it had suffered a breach. The mysterious leak then made headlines last month when a new user called MajorNelson began circulating another 5GB archive that appeared to contain the same data. Only this time, MajorNelson made the data freely available on a hacking forum.
AT&T again initially denied that the data had come from the carrier. But this past weekend, the company changed its tune after a security researcher analyzed the leaked data and found users' AT&T passcodes in the archive, according to TechCrunch. In response, the company reset passcodes for 7.6 million users.
“Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and 65.4 million former account holders,” the carrier said on Saturday.
Although the carrier is now taking action to address the threat, the class-action lawsuit faults AT&T for allegedly failing to respond in 2021 by thoroughly examining the leak or warning customers. “We’re also alleging AT&T exacerbated the problem by failing to acknowledge the breach had occurred until March 30 of this year, allowing customers’ personal data to linger in criminal hands without their knowledge for more than two-and-a-half years,” the suit says.
AT&T didn’t immediately respond to a request for comment. But in a company FAQ about the incident, the carrier says it still hasn’t determined the origin of leaked data, and whether it came from AT&T or one of its vendors. “Currently, AT&T does not have evidence of unauthorized access to its systems resulting in theft of the data set,” the FAQ adds.
In the meantime, the class-action lawsuit is urging the court to force AT&T to pay damages, monetary relief, and for lifetime credit monitoring to the affected consumers. The plaintiff, Patricia Dean of Illinois, filed the lawsuit in Texas, where AT&T is headquartered.