Sustainability Accounting Standards Board (SASB) Index

• U.S.: 117.851 million
• Mexico: 23.576 million

• Retail Switched Access Lines: 3.296 million
• Voice over Internet Protocol connections: 2.223 million

Global broadband subscribers: 15.438 million

Please see our Q4 2024 Earnings Statement.

• Percentage on cellular network
• Percentage on fixed network

• Total energy consumed (Gigajoules)
• Percentage grid electricity
• Percentage renewable energy
• Data center Power Usage Effectiveness

FY2024 data will be available in Q2 2025

Our Privacy Notice explains how we use and protect consumer information, and the choices consumers can make about how their information is used

Information on our privacy and data use approach—as well as links to privacy choices and security tips—is available through the AT&T Privacy Center and AT&T Mexico Comprehensive Privacy Notice, which are clearly signposted on our website and the AT&T app. Privacy policies and notices for AT&T’s apps and services are accessible in-app and on services’ websites. Through these, consumers can explore choices for opting out of certain data collection and marketing programs, such as behavioral advertising. Our approach to transparency also includes:

• Policy Updates & Questions: When we update privacy policies and notices, we notify consumers as required. Consumers can also send questions or feedback by submitting a question via our Data Request Center or writing to AT&T Chief Privacy Office, 208 S. Akard St., Room 2901, Dallas, TX 75202.
• Transparency Report: We publish a biannual Transparency Report with comprehensive information on our responses to legal demands. It includes the number and types of demands, those that were partially or completely rejected, demands for location information, exigent requests and international demands. The AT&T Global Legal Demand Center oversees demands from law enforcement. 
• Consumer Resources: Our customer Privacy Choices consent portal simplifies making privacy choices and providing consents; we also offer a tool for opting out of email marketing. Similarly, through the AT&T ActiveArmor^SM mobile security app, customers can view all privacy and security resources in one platform. This free app helps customers block spam calls, secure personal data, create a personal block list and more.

For more information on AT&T’s data protection and security practices, please see our Privacy issue brief.

• Percentage who have opted in

• Number of customers whose information was requested
• Percentage resulting in disclosure

Like all companies, we are required by law to provide information to government and law enforcement entities, as well as parties to civil lawsuits, by complying with court orders, subpoenas, lawful discovery requests and other legal requirements. The AT&T Transparency Report provides (1) specific data regarding the number and types of legal demands to which we responded that compelled AT&T to provide information about (a) communications or (b) our customers, as well as (2) information permitted by law to be disclosed about Foreign Intelligence Surveillance Act demands. 

The Transparency Report also provides information about legal demands that were partially or completely rejected, demands for location information, emergency requests and international legal demands. AT&T does not currently disclose the number of individual customers whose records were requested. 

• Percentage involving customers’ personally identifiable information
• Number of customers affected

AT&T is not able to provide information on data security breaches, as it is confidential.

We test privacy control effectiveness to proactively identify and address potential weaknesses yet, like all companies, we sometimes experience attempts to gain unauthorized access to customer or employee data. When such situations arise, our Incident Response team rapidly enacts a defined action plan.

The team follows a carefully designed governance structure and response process, investigating suspected breaches and evaluating potential impacts. If we determine a data breach has occurred, we notify affected consumers and authorities as legally required. 

To ensure our response remains robust and effective, we regularly test and improve it through tabletop exercises. We also keep up to date with data-privacy laws and regulations to ensure ongoing compliance.

For more information on our data protection and security practices, please see the AT&T Privacy Center website and our Privacy and Cybersecurity issue briefs. 

We defend the AT&T network with a multi-layered approach, including monitoring, active prevention and rapid response to security threats. We leverage tools, where available, that include near-real-time data correlation, situational awareness reporting, active incident investigation, case management, trend analysis and predictive security alerting. Our network and information security program is designed to protect the confidentiality, integrity and availability of our information and that of our customers. It encompasses the Chief Security Office (CSO) and its policies, platforms, procedures and processes for assessing, identifying and managing risks from cybersecurity threats. This includes third-party risk from vendors and suppliers. The program is designed to identify, respond to and resolve security incidents and threats in a timely manner to minimize the loss or compromise of information assets. We also take an “all hands on deck” approach to cybersecurity — all AT&T employees receive annual security training on their responsibilities as the first line of defense for cybersecurity. Educational materials are also available to customers, suppliers and everyone who works with AT&T.

We have dedicated security policies and standards that apply to all AT&T employees, contractors and suppliers and are informed by industry-leading standards, including:

• National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST 800-53 Rev. 5
• External certification and assessment requirements, such as PCI-DSS, SOX, SSAE18/ISAE3402 SOC and ISO 27001
• Privacy and data security laws and regulations, such as the California Consumer Privacy Act, the European Union’s General Data Protection Regulations, and the New York Department of Financial Services Part 500 Cybersecurity requirements 

AT&T maintains two global ISO/IEC 27001 certifications which cover our global IP infrastructure and certain customer-facing managed services. We have also achieved ISO 9001¹ certification, demonstrating our belief that customer satisfaction and expectations are the most important factors in the work we do. In addition, we undergo other third-party audits, such as those for the Payment Card Industry Data Security Standard, the Sarbanes-Oxley Act and the Statement on Standards for Attestation Engagements 18/International Standard on Assurance Engagements 3402.

We assess, identify and manage risks from cybersecurity threats through various mechanisms. These include vulnerability testing, attack simulation and tabletop exercises to examine our preparedness and incident response process, penetration tests, threat modeling, a Bug Bounty program, large scale data correlation and alerting, and internal and external audits. We conduct vulnerability testing and assess identified vulnerabilities for severity, the potential impact to AT&T and our customers, and likelihood of occurrence. Our security teams work with application and system owners to remediate those vulnerabilities. We regularly evaluate security controls to maintain their functionality in accordance with our security policy. We also obtain cybersecurity threat intelligence from recognized forums, third parties and other sources as part of our risk assessment process. In addition, as a critical infrastructure entity, we collaborate with numerous agencies in the U.S. government to help protect U.S. communications networks and critical infrastructure. This in turn informs our cybersecurity threat intelligence.

Learn more about our security policies and standards on our Security at AT&T webpage. For details on our managerial approach to security, please see our Cybersecurity issue brief. 

• Reused
• Recycled
• Landfilled

• Reused or sold: 94%²
• Recycled: 6%²
• Landfilled: 0%²

We strive to recycle plastics and metals responsibly and require that our U.S. device recycling and salvage vendors maintain R2 certification, confirming adherence to responsible electronics recycling standards. R2 is a comprehensive global certification awarded to facilities that adhere to the R2 responsible electronics recycling standards, which cover areas such as worker health and safety, environmental protection, chain-of-custody reporting and data security.

AT&T collaborates with peers through the Global System for Mobile Communications Association (GSMA), which has working groups focused on consumer device and network equipment recycling. We also collaborated with Cellular Telecommunications and Internet Association working groups to create the Guidelines for Wireless Device and Accessory Packaging and the refined industry standard for used wireless device grading.

For more information, please visit our Circularity issue brief. 

Throughout 2024, AT&T had no material losses related to litigation or non-appealable regulatory decisions involving anti-competitive behavior.

• Owned and commercially associated content
• Non-associated content

AT&T does not favor certain websites or internet applications by blocking or throttling lawful internet traffic on the basis of content, application, service, user, or use of non-harmful devices on its broadband internet access services.

In the provisioning of broadband internet access services, AT&T does not directly or indirectly favor some traffic over other traffic in exchange for consideration from a third party or to benefit an affiliate, except to address the needs of emergency communications, law enforcement, public safety (including FirstNet), or national security authorities, consistent with or as permitted by applicable law.

For more information on our approach to network traffic management, see the AT&T Broadband Information: Network Practices webpage. For information on the expected and actual performance of our wireline and mobility network services, see the AT&T Broadband Information: Performance Characteristics webpage.

• System average interruption frequency
• System average interruption duration
• Customer average interruption duration

• System average interruption frequency: 0.0645
• System average interruption duration: 4.4126
• Customer average interruption duration: 68.3801

• System average interruption frequency = total unplanned interruptions/total customer ports
• System average interruption duration (in minutes) = total unplanned interruption duration/total customer ports 
• Customer average interruption duration (in minutes) = total number of customers interrupted in each incident multiplied by the duration of each service disruption/total number of customers interrupted

We invest in processes, collaborations and asset updates to ensure our network remains strong and operational. Every hour, our Network teams collect billions of service-assurance measurements, analyzing the data in near-real time to improve performance and deliver the best possible customer experiences.

Our global team of certified business continuity experts uses a risk-based approach to develop business resumption plans. This is guided by our Business Continuity Management Program which covers management disciplines, processes and techniques for supporting employees and critical business operations during significant disruption. The program is certified to ISO 22301:2021 and aligns with: Disaster Recovery Institute International Professional Practices, Business Continuity Institute Good Practice Guidelines, Federal Emergency Management Agency National Incident Management System, and ISO 31000. Our alignment with these standards indicates our readiness to resume business operations and deliver customer service in the vital hours and days after a disaster. 

We have invested more than $1 billion over the past three decades in our Network Disaster Recovery Program, which rapidly restores connectivity to disaster-affected areas. Following a disaster, we activate our internal Emergency Operations Center to coordinate all business areas around timely recovery efforts. 

For additional details on our managerial approach, please see our Network Resilience and Cybersecurity issue briefs and our Network Practices website.