The AT&T data breach revealed earlier this week may have affected as many as half a million users in the UK, analysis shows.
Data from Surfshark shows that while the US-based users make up the lion’s share of affected customers with 62 million exposed email addresses, a sizable number of global users were also impacted.
UK-based users were the second hardest-hit by the breach, figures show, with 495,000 users affected. The names of 486,000 were exposed, along with the cities of 460,000, the phone numbers of 457,000 and dates of birth of 141,000.
In all, a total of 2.7 million records belonging to people in the UK were exposed.
Anne Cutler, cyber security expert at Keeper Security, said the exposure of customer data outside the US highlights the scale of the breach and its wide-reaching global impact.
Cutler warned that customers should take immediate steps to protect themselves from potential follow-up attacks by cyber criminals, such as phishing.
"In cases where personal information is stolen, threats from the data breach persist even after it’s been discovered and contained," she said.
"It is imperative for both current and former customers of AT&T to take proactive steps to protect themselves from cyber criminals using their personal information for identity theft and targeted attacks."
AT&T said it's taken precautionary measures in the wake of the breach, and is contacting those whose sensitive personal information has been compromised to offer complimentary identity theft and credit monitoring services.
It has also now reset passcodes for the millions of customers affected, after suggestions that the encrypted passwords that formed part of the leak could be deciphered and used to access customer accounts.
AT&T also suggested that customers should monitor their account activity and credit reports, and set up free fraud alerts from credit bureaus.
AT&T facing a slew of lawsuits
AT&T could face additional pressure in the coming months, with at least one lawsuit having already been filed in the US.
Injury law firm Morgan & Morgan claims in a class-action lawsuit on behalf of Patricia Dean of Illinois that AT&T knew about the vulnerability that led to the breach, and allowed it to occur by failing to act.
A hacking group called Shinyhunters, it said, advertised data on over 70 million AT&T users, including full names, email addresses, physical addresses, and in some cases Social Security numbers and dates of birth back in 2021.
"We’re... alleging AT&T exacerbated the problem by failing to acknowledge the breach had occurred until March 30 of this year, allowing customers’ personal data to linger in criminal hands without their knowledge for more than two-and-a-half years," court filings read.
It's asking for damages and monetary relief, along with lifetime credit monitoring for affected consumers.
Meanwhile, another US-based legal firm, Spodek Law, is encouraging AT&T users to get in touch, pointing out that in some cases, courts have awarded data breach victims $1,000 or more per person in class action settlements.
"You may still have a claim even if you haven’t yet experienced concrete harms from the breach. Courts have recognized that the time and expense of guarding against future identity theft is a compensable injury," it said.
