AT&T’s Security Measures: How to Protect Your Data

AT&T’s Security Measures: How to Protect Your Data

AT&T Inc.
  • Southwestern Bell Corporation (1983–1995)
  • SBC Communications Inc.[1] (1995–2005)
Company typePublic
FoundedOctober 5, 1983; 40 years ago[2]
HeadquartersWhitacre Tower,


Area served
Key people
RevenueIncrease US$122.4 billion (2023)
Increase US$23.46 billion (2023)
Increase US$15.62 billion (2023)
Total assetsIncrease US$407.1 billion (2023)
Total equityIncrease US$117.4 billion (2023)
Number of employees
149,900 (2024)
SubsidiariesDirecTV (70%)

AT&T is trying to make it up their customers following the leak in March, including identity theft monitoring and a $1 million insurance policy. Millions of customers were impacted by the leak.

AT&T is trying to make customers feel more at ease by offering security perks after the sensitive information of more than 70 million people was leaked on the dark web in late March.

The telecom giant said that 7.6 million current customers and 65.4 million former customers were affected by the breech, USA TODAY previously reported. The compromised data may have included personal information, like Social Security numbers from AT&T data-specific fields from 2019 or earlier, but did not contain “personal financial information or call history.”

It wasn’t immediately known whether the “data in those fields originated from AT&T or from one one of its vendors.” They were still investigating the incident.

The company contacted all 7.6 million impacted current customers after “a number of AT&T passcodes” were compromised, opting to reset the passcodes as a “safety precaution.”

They also offered complimentary identity theft and credit monitoring services, a service they continue to offer in addition other new features, like a $1 million insurance policy and help from an identity restoration team, according to reporting by KPRC-TV.

if u intrested more information

What is AT&T offering customers following data leak?

AT&T will be offering customers a number of features, including, “one year of complimentary credit monitoring, identity theft detection, and resolution services; an insurance policy of up to $1 million in coverage in the event of identity theft; access to an identity restoration team,” according to KPRC-TV.

In addition to resetting passcodes, the company has also reached out to affected customers, saying they had “emailed and mailed letters to individuals with compromised sensitive personal information separately and offering complimentary identity theft and credit monitoring services,” according to the AT&T website. 

AT&T also has encouraged customers to “remain vigilant,” monitoring account activity, reviewing credit reports, and reporting suspicious activity.

Security at AT&T


AT&T takes security very seriously. After it has come across the airlink, your data enters the AT&T network, where we take great care to ensure that data confidentially and integrity are protected.

To secure data both in transit across the network and stored in the network, AT&T has implemented a comprehensive security program that focuses on 13 major areas. The areas are derived from ISO 17799, COBIT, and other industry best practices.

Although this section describes AT&T’s specific security program, you can apply the concepts to carrier security in general. Before deploying a mission-critical wireless application using another carrier, make sure that company’s security measures meet your tight standards.

The 13 areas are as follows:

  • Strategy, planning, and governance
  • Policies, standards, and compliance
  • Metrics and measures
  • Education and awareness
  • Application development and testing
  • Intrusion detection and response
  • Network operations and firewalls
  • Patch, antivirus, and vulnerability management
  • User and access management
  • Continuity planning and crisis management
  • Disaster recovery
  • Physical and environmental security
  • Security personnel


Strategy, Planning, and Governance


AT&T has an Enterprise Security and Privacy Governance council with executive representatives from each key area of our business. The council meets regularly to create strategies and make decisions about security and privacy issues that affect AT&T and our customers.

Policies, Standards, and Compliance


AT&T has developed policies and standards that cover seven security domains, and we actively monitor our security processes to make sure that the business as a whole is complying with those policies and standards:

  • Identity/user
  • Confidentiality and privacy
  • Networking
  • Systems, hosts, and devices
  • Middleware and applications
  • Security management and process definition
  • General

Additionally, AT&T has an active program for ensuring compliance with the Sarbanes-Oxley Act of 2002. And we have annual security assessments performed by third parties to test the effectiveness of our security program.


Metrics and Measures


It is not enough just to have security policies and to set standards. To make sure that their policies and procedures are actually followed, enterprises need to define metrics for each area of their security programs and to determine how to measure success and compliance in those areas.

At AT&T, we have established specific metrics for each of the other 12 areas in our security program. Having objective, quantifiable goals and performance measurements ensures that the program is working the way we want it to.


Education and Awareness


AT&T has a security awareness program that’s designed with modules to address the needs of specific job functions and roles. For example, additional technical training is included in the modules for developers, database administrators, and system administrators; modules for executives emphasize more corporate-level policies.


Application Development and Testing


AT&T has rigorous procedures in place to makes sure that all our applications are fully tested and meet our security requirements. AT&T also regularly tests production Internet applications for security vulnerabilities.


Intrusion Detection and Response


AT&T has deployed an advanced intrusion detection system that is actively monitored by our Security Network Operations Center (SNOC). SNOC has established procedures to analyze events and to evaluate the threat that a particular event may pose. SNOC also has a Security Incident Response process in place to rapidly investigate and respond to potential attacks.


Network Operations and Firewalls


AT&T has redundant stateful inspection firewalls at each border connection to the AT&T infrastructure. Appropriate security measures are in place for all traffic that remotely accesses the AT&T infrastructure.

AT&T also has redundant Network Operation Centers operating 24×7, to ensure the proper operation of all security systems.


Patch, Antivirus, and Vulnerability Management


AT&T actively scans the network environment for potential vulnerabilities, and we have vulnerability management processes in place to mitigate risks. AT&T also has security patch and antivirus management programs to make sure that software updates and virus signatures are deployed rapidly when they become available. Additionally, our comprehensive antivirus program includes rapid virus detection and removal.


User and Access Management


AT&T uses a workflow tool for processing requests to access our applications and systems. Procedures are in place to verify employment and to review the need for access before the access is granted. Additionally, when employees leave the company, their user accounts are removed promptly.


Continuity Planning and Crisis Management


AT&T’s enterprise-wide Continuity Planning and Crisis Management program is designed to minimize risk to people, profit, process, and property through defined best practices. The program has four phases:

  • Prevention
  • Mitigation
  • Response
  • Recovery

Procedures that support these phases include:

  • Business impact analysis
  • Site risk assessment, policies, standards, and guidelines
  • Personal preparedness
  • Crisis and incident management, planning, and support
  • Government coordination
  • Recovery plan development
  • Disaster exercises
  • Recovery support


Disaster Recovery


AT&T’s IT Continuity Planning and Disaster Recovery Program includes disaster preparedness and recovery planning for critical IT applications, processes and facilities. AT&T contracts with third parties to support critical IT components and also implements in-house recovery strategies to ensure that business processes can continue in the event of disaster. AT&T regularly performs disaster exercises to provide training and to validate recovery capabilities.


Physical and Environmental Security


All AT&T facilities that contain critical information systems and assets are protected by a combination of physical security measures. These measures may include magnetic badge readers, security personnel, video monitoring systems, and so on. Precisely defined policies in our Data Center Access Policy for AT&T Enterprise Data Centers determine which measures we implement at a given facility.

AT&T manages physical access to facilities through card-key security badges, and AT&T Data Center Operations controls who can access critical assets across the enterprise. Some facilities use a single-badge photo ID and access card (combined); others use a dual-badge system with a separate photo ID and electronic badge that records entry to all critical-asset areas.

Procedures are in place to verify employment and to review the need for access before the access is granted. A critical-asset owner maintains a list of employees who are authorized to access the asset.

if u intrestd more information

Security Personnel


AT&T employs only well-trained and industry-certified security professionals to manage and support our security program.


Our Actions & Impacts

In 2022, AT&T’s work to advance network and data security included:

  • Continuing to utilize state-of-the-art security tools to detect and mitigate cyber threats to our network.
  • Sharing threat intel with appropriate authorities, industry groups, vendors and peers to aid in securing the nation’s communications infrastructure.
  • Gathering experts from AT&T, government, industry and across the security spectrum to share perspectives on today’s threat landscape at our 2022 AT&T Security Conference. Participants heard from top security thinkers and practitioners on the latest security innovation and implementation strategies to help bring industry security solutions to the next level.


Our information security program is designed to protect the integrity, confidentiality and availability of our network. AT&T’s Chief Security Office (CSO) maintains a global organization comprised of highly trained security professionals, with additional security specialists in other organizations across AT&T who work closely with the CSO to address department-specific issues. Our security governance structure consists of the following:

  • Chief Information Security Officer: AT&T’s Chief Information Security Officer (CISO) leads our CSO in its efforts to establish policies, requirements and comprehensive programs to help build security into the fabric of every organization across the business.
  • CSO: The CSO supports a broad range of functions, from security policy management to the implementation of security solutions. The team reviews and assesses our security controls to keep pace with industry developments and satisfy regulatory and business requirements. The CSO’s technical personnel work in conjunction with other AT&T departments to evaluate threats, determine protective measures, create response capabilities and assess compliance with security best practices.
  • Board Oversight: The Audit Committee of the AT&T Board of Directors (Board) oversees the company’s risk management strategy, which includes cybersecurity and network defense. The Board and the Audit Committee receive updates from officers, including our CISO, on network and data security and associated risks.

can u read

Security Policies and Standards

AT&T Security Policy & Requirements

The AT&T Security Policy and Requirements (ASPR) serves as a guide and a reference point for conducting business in a secure environment and protecting AT&T information resources. ASPR is a comprehensive set of security control standards based, in part, on leading industry standards such as ISO/IEC 27001:2013.

Certifications & Standards

In addition to ASPR, we maintain the following standards and certifications:

  • Supplier Security Standards:
    • AT&T’s supplier contracts stipulate that suppliers comply with our Supplier Information Security Requirements (SISR). SISR applies to supplier entities when performing any action, activity or work that involves:
      • The collection, processing, storage, handling, backup and disposal of and/or access to in-scope information
      • Providing or supporting AT&T branded applications and/or services using non-AT&T information resources
      • Connectivity to AT&T’s nonpublic information resources
      • The development or customization of any software for AT&T
      • Website hosting and/or development for AT&T
    • All commercial off-the-shelf products we use must meet or exceed the AT&T Publicly Available Products and Applications Security Requirements. These security requirements are based on our network and data security policies and industry standards.
  • Third-party Certifications & Audits: AT&T’s internal security controls are audited by third-party assessors on an annual basis, including the following:
    • Information Security Standard (ISO/IEC 27001)
      • AT&T maintains 2 global ISO/IEC 27001:2013 certifications. The scope of these certifications covers the AT&T global IP infrastructure and certain customer-facing managed services. To maintain the certifications, AT&T undergoes annual recertification assessments.
    • Quality Management Standard (ISO 9001)1
      • AT&T has achieved ISO 9001:2015 certification, which demonstrates and reinforces our belief that customer satisfaction and expectations are the most important factors in the work we do. We are fully committed to a high standard and quality of work for any project we undertake.
    • AT&T also undergoes other annual third-party audits, such as those for the Payment Card Industry Data Security Standard, the Sarbanes-Oxley Act and SSAE 18/ISAE 3402.

Network Security Monitoring

AT&T uses a consistent, disciplined global process to promptly identify security incidents and threats, minimize the loss or compromise of information, and facilitate incident resolution. AT&T maintains 24/7, near-real-time security monitoring of the AT&T network for investigation, action and response to network security events. Our threat management platform and program provide near-real-time data correlation, situational awareness reporting, active incident investigation, case management, trending analysis and predictive security alerting. AT&T uses the same set of security tools to manage our global network that we use for enterprise customers.


To uphold our security standards, AT&T performs regular analysis of our operations and applications for security compliance. These reviews may be facilitated or conducted through our CSO; by a department representative for a product, service, supplier or partner relationship; or by an internal operations team responsible for life cycle service management.

Training & Compliance

Our internal security awareness program utilizes interactive content to help our employees develop skills to protect AT&T data devices and networks. The program emphasizes personal responsibility from every person who touches the network – such as office workers, server administrators, field employees and more. Our CSO is charged with directing and coordinating security awareness and education, including developing, approving and managing all training content. Elements of this program include:

  • Code of Business Conduct: AT&T’s Code of Business Conduct (Code) is the foundation for how we do business and how we treat each other and our customers. It emphasizes the need for AT&T employees to properly safeguard our customers’ private data by following laws and regulations which stipulate how the data should be managed by following network and data security standards. All AT&T employees are required to annually acknowledge their responsibility to adhere to our Code.
  • Screening: We have controls in place to screen AT&T employees, contractors and suppliers. For example, we conduct background checks on the finalists for all U.S. and international employment positions2, and AT&T’s Global Supply Chain organization includes background check requirements in agreements with suppliers. These requirements help to ensure that supplier personnel with physical access to AT&T and/or customer premises are properly screened and are aware of their responsibilities regarding AT&T and customer assets.
  • Communications: To deliver general and targeted security awareness initiatives within AT&T, the CSO maintains an internal security awareness website and newsletter, employee- and department-specific bulletins and communications, and job aids in addition to hosting technology conferences and employee security awareness events.
  • Training: All employees must take an annual security awareness training course as part of AT&T’s Corporate Compliance training. We have also developed a security-specific training program that features security subject matter experts from across the business to deliver webcasts and video productions. For example:
    • You Are the FirewallTM promotes security awareness among employees at all AT&T locations through animated short stories, original video games with embedded security training, live game shows and International Security Awareness Week. This entertainment-based approach to the security awareness program was reviewed by industry analysts and has received the highest acclaim from the Institute for Applied Network Security.
    • In addition to annual security compliance training, we encourage employees to pursue further security training and accreditations and certifications when relevant to their roles. This training is conducted both within AT&T and through corporate training organizations, such as:
  • Professional Certifications: Our large population of security professionals maintains certifications and credentials such as:
    • Certified Information Systems Security Professional
    • Certified Information Systems Auditor
    • Certified Information Security Manager
    • Certified Ethical Hacker
    • Global Information Assurance Certification

Testing & Reporting

AT&T’s approach to identifying and managing cybersecurity risk is formalized in our security risk management program. Elements include:

  • Risk Management Program: AT&T has a formal, documented risk management policy and program which includes risk identification, risk assessment, risk analysis and risk mitigation. This extensive program consists of vulnerability testing, compliance reviews and security audits to provide a comprehensive view of AT&T’s security risk posture.
  • Evaluations: AT&T conducts regular tests and evaluations to help provide security controls and maintain the functionality of these controls in accordance with our security policy. Security status checks include:
    • Verifying system security settings and statuses and reviewing users that have security administrative or system authority
    • Testing network elements to help provide the proper level of security patches and to determine only required system processes are active
    • Validating server compliance with the AT&T Security Policy and Requirements
    • Utilizing independent third parties to help assess risk to AT&T, our network and customers and, where appropriate, our suppliers
  • Vulnerability Testing: Internal authorized personnel perform vulnerability testing using industry scan tools and AT&T-developed tools to assess whether controls can be bypassed to obtain any unauthorized access. We use systemic anomaly reporting to indicate abnormal use of our systems – both customer-facing and employee-facing. When we identify vulnerabilities, we assess severity, potential impact to AT&T and its customers, and the likelihood of occurrence of the vulnerability. From that assessment, we develop and implement plans to address vulnerabilities.
  • Bug Bounty Program: We also encourage and reward contributions by developers and security researchers through the AT&T Bug Bounty Program. We provide monetary rewards and/or public recognition for certain security vulnerabilities responsibly disclosed to us.

Security Innovation Strategy

The security of our customers has always been a top priority for AT&T. To protect network, data, mobility and cloud-based information resources in an era of large-scale, sophisticated attacks, we design and implement new security architectures based on the latest advances in virtualization, artificial intelligence and networking. With more than 1,000 security-related patents, we’ve been a leader in security technology for more than a century – safeguarding systems from basic voice communications to 5G.

AT&T ActiveArmorSM brings our security expertise, resources and products under a single brand. The combination of our 24/7 network protection with built-in, patented security technology helps proactively detect and prevent threats, and our free, easy-to-use mobile security app can be used to manage spam calls, get information on data breaches and more. Together, these capabilities help safeguard our customers, their devices and their data.

Customer Solutions

We provide a variety of mechanisms for customers to take control of the security of their data, including:

  • AT&T Business Solutions: Security is top-of-mind for any business, large or small. Helping protect customers’ IT infrastructure against today’s emerging threats is more important than ever. Visit AT&T Cybersecurity for more information about our solutions for business customers.
  • Robocall Scam Identification & Mitigation: AT&T has established mechanisms to identify illegal robocall campaigns and help to mitigate them.
    • Through the complementary programs listed below, AT&T has blocked or labeled billions of unwanted robocalls.
      • AT&T ActiveArmorSM automatically blocks fraud calls and labels other suspected spam calls so a wireless customer can choose to answer or not. It identifies the calls through data analytics, network intelligence and customer reports.
      • AT&T’s Global Fraud Management team works closely with the U.S. Telecom Industry Traceback Group and law enforcement to identify the source of illegal calls. This process provides necessary information to stop illegal robocall campaigns and places responsibility on service providers for traffic that originates on their networks.
      • AT&T’s Global Fraud Management organization, with assistance from the AT&T Chief Data Office, uses sophisticated algorithms to examine billions of calls each day for patterns that indicate a robocalling scheme. They investigate suspicious activity that may be illegal, relying on human fraud expertise before blocking.
    • Implementation of the caller ID authentication standard known as STIR/SHAKEN remains a top priority for AT&T, and we have deployed it across our IP networks. We have filed comments with the Federal Communications Commission (FCC) detailing our progress on this front and offering our support as the FCC addresses the complex details of implementation. We also supported the TRACED Act, which codified implementation requirements.
    • We work to protect our customers from abusive, illegal and unwanted text messages – including patented, automated scanning and filtering. Customers can help by forwarding suspicious text messages to 7726 (SPAM) so we can investigate them. iOS and Android messaging apps now also feature newer, simpler ways to forward these messages to us.
  • Opt-Out Options: Customers have the ability to manage how they want to be contacted by AT&T, including opting out of telemarketing calls and emails. When building marketing campaigns, AT&T honors a customer’s request to be added to AT&T’s internal Do Not Call list – in addition to the Federal Trade Commission’s National Do Not Call list and various state Do Not Call lists, as appropriate. For more information, visit the National Do Not Call Registry.

For more information on how to report and guard against fraud or security issues, please visit our Fraud & Security Resources website.

if u intrested

Customer Awareness & Education

Educating customers on proper security measures is the best line of defense. As more devices connect to the internet, customer education becomes even more important. AT&T Cyber Aware is a resource designed to empower and educate customers about fraud protection and cybersecurity. The Cyber Aware website explains in simple terms how many scams work, ways to recognize them and steps customers can take to protect themselves. The website offers information and alerts on security and privacy topics and is available to everyone – not just AT&T customers.

Stakeholder Engagement

AT&T is proud to be a leader and a participant in many industry and academic organizations – both to help set standards and to keep pace with industry developments. Our engagement on network and data security includes:

For more information on our stakeholder engagement and our perspective on cybersecurity policy news, visit AT&T Connects.

Our Path Forward

AT&T will continue to enhance the security of our network through the following efforts:

  • We are working on quantum safe encryption through increasing awareness and obtaining support for quantum encryption within AT&T; collaborating with NISTQuantum Consortium Enabling the Quantum Ecosystem and Alliance for Telecommunications Industry Solutions on Next Gen Cybersecurity Standards; and automatically changing algorithms when they are found to be vulnerable. We are also conducting a quantum risk analysis to evaluate which AT&T assets would be susceptible to a quantum attack.
  • We are evolving our security ecosystem from perimeter-based architecture to zero trust controls. The main concept behind the zero trust security model is to always verify a network or user. Devices should not be trusted by default, even if they are connected to a permissioned network, such as a corporate LAN, or were previously verified. By implementing zero trust controls, we are ensuring that only appropriate contacts are able to access the network.

if u want more information

Rate this post

8 thoughts on “AT&T’s Security Measures: How to Protect Your Data”

  1. Howdy

    This is Mike Dunce

    Let me show you our latest research results from our constant SEO feedbacks that we have from our plans:

    The new Semrush Backlinks, which will make your SEO trend have an immediate push.
    The method is actually very simple, we are building links from domains that have a high number of keywords ranking for them. 

    Forget about the SEO metrics or any other factors that so many tools try to teach you that is good. The most valuable link is the one that comes from a website that has a healthy trend and lots of ranking keywords.
    We thought about that, so we have built this plan for you

    Check in detail here:

    Cheap and effective

    Try it anytime soon

    Mike Dunce

  2. Pingback: How to Get the Most Out of Your Unlimited, No-contract Home Wi-Fi - CTD

  3. Pingback: how-to-get-the-most-out-of-your-unlimited-no-contract-home-wi-fi/spectrum

  4. Pingback: How to Find the Best Internet Deals ; 2024 - CTD

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top