In reversal, AT&T says most FirstNet customers impacted in data breach disclosed last week

AT&T said most phone numbers connected to a Commerce Department-linked public safety network service relied on by U.S. first responders were compromised in a data breach revealed last week.

The new statement out Friday reverses course on how the breach affected FirstNet, a program managed by AT&T that’s relied on by federal, state, local and tribal governments for emergency public safety services like fire and police departments.

The telecom giant a week ago said the stolen data on nearly all AT&T customers included both cellular and landline phone numbers, along with records of calls and text messages — detailing who contacted whom — over a six-month window from May 1, 2022, to October 31, 2022.

The pilfered data does not include the specific contents of the calls and text messages, nor times or dates of the conversations, but it does include records of interactions between AT&T phone numbers during the six-month period, including the total number of calls and texts, and the duration of calls. At least one person has already been arrested in connection with the breach.

“Our initial assessment of the percentage of FirstNet numbers in the compromised data was incorrect,” a spokesperson told Nextgov/FCW. “We now believe the proportion of FirstNet numbers included in the data is similar to that of our broader customer base.” Last week, a spokesperson said that a “majority of FirstNet’s subscribers as of the end of 2022 are not included in the compromised data.”

“We take protecting FirstNet data very seriously. And we’ll continue to work with the FirstNet Authority and the public safety community to ensure FirstNet is effectively serving the nation’s first responders,” the statement added.

Entities affiliated with FirstNet are directed to check their account to see if they were impacted in the breach, a company notice said.

The Commerce Department did not immediately return a request for comment.

AT&T is one of the top suppliers of telecom and network services to the federal government. It is a prime contractor on the $50 billion Enterprise Infrastructure Solutions contract — a multiple award program from which agencies can issue and award task orders — that is administered by the General Services Administration.

Agencies that tap AT&T for telecommunications services include the Departments of Homeland Security, Justice and State, Defense, Veterans Affairs and agencies in the intelligence community. The company in 2018 also secured a hefty classified contract with the National Security Agency. 

The call logs were first stolen in April, but the company — which is publicly traded and required to adhere to strict disclosure requirements set by the Securities and Exchange Commission — obtained a national security exemption to delay the breach notification, it said in its filing of the incident. The data exfiltration was connected to a breach in Snowflake, a data warehousing provider, the company confirmed to several media outlets.

While only phone numbers were obtained, they can be easily used to build out profiles on government staffers, Jon Taylor, VP of Security Engineering at Fortress Information Security, told Nextgov/FCW in the wake of the announcement, who added that attempted cyberattacks on federal employees should be expected to increase.

“Nobody’s social security number was gone, but the abject look for fraud is really where it’s at, especially if government agencies are involved here,” he said at the time.