AT&T disclosed a massive data breach today that impacts “nearly all” its customers call and text records. The hackers gained unauthorized access to a third-party cloud platform containing this data, which an AT&T spokesperson confirmed to be Snowflake to The Cyber Express.
The incident, discovered in April, impacts a vast swathe of AT&T’s mobile and landline customers, raising concerns about potential identity theft and targeted attacks. However, a spokesperson for AT&T told The Cyber Express:
“This was aggregated metadata, not the content of calls or texts, nor was it social security numbers or credit card information. This incident took place outside of our network. Our systems were not breached.”
According to AT&T, the compromised data spans May 1 to October 31, 2022, for most customers, with a limited number affected from January 2nd, 2023. While the data doesn’t include call and text content, Social Security numbers, or other personally identifiable information (PII), it does contain phone numbers and, for some records, cellular site location details.
“Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, as well as AT&T’s landline customers who interacted with those cellular numbers.”
The phone numbers, coupled with publicly available online tools, can be used to identify individuals, AT&T warned. Though the telecom giant assures the data isn’t publicly available currently, the potential for future exposure remains a significant risk.
AT&T Data Breach Tied to Larger Snowflake Breach
Details regarding the attackers or their motivations are not yet clear, however, an AT&T spokesperson told TCE the access point for the breach was through cloud platform Snowflake.
Snowflake is currently at the center of probably the biggest and most high profile breaches, including Ticketmaster, Santander, Advanced Auto Parts, Pure Storage, and Neiman Marcus, among others.
In June, cybersecurity company Mandiant said it had found 165 of Snowflake customers’ credentials exposed by infostealer malware since 2020. Infostealers typically harvest credentials from infected machines, including usernames and passwords but also authentication tokens and cookies. Many of these credentials are then put out for sale on dark web forums from a few tens to thousands of dollars.
Snowflake did not immediately respond for comment request but in May the company’s CISO Brad Jones had said, “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” attributing the breaches to poor credential hygiene in customer accounts instead.
Since then, Snowflake has taken several measures to refine it security posture including the establishment of a Trust Center and enabling Snowflake admins to make multifactor authentication (MFA) mandatory.
One Arrested in Relation to the AT&T Data Breach
The telecom giant has enlisted cybersecurity experts to investigate the intrusion and partnered with law enforcement, the company confirmed in an 8-K filing with the U.S. Securities and Exchange Commission.
“AT&T is working with law enforcement in its efforts to arrest those involved in the incident. Based on information available to AT&T, it understands that at least one person has been apprehended.”
The identity of the arrested individual is not clear but as reported by 404 Media, John Binns, an American hacker recently arrested in Turkey, is linked to the massive breach of AT&T. Binns is already indicted for allegedly hacking T-Mobile.
Another noteworthy thing in the latest AT&T data breach is the fact that the breach took place in April but the U.S. telco made it public only now. This is because the company received a national security exception from the U.S. Department of Justice under the updated SEC reporting requirements.
“On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted. AT&T is now timely filing this report.”
This is probably “first such exception I’m aware of,” said Chris Krebs, former director of U.S. Cybersecurity and Infrastructure Security Agency.
Experts Call AT&T Breach ‘A Huge National Security Incident’
While the telco assured that no PII was involved experts like John Scott-Railton of the privacy focussed CitizenLabs deemed the situation “a huge national security incident given government customers on (their network).
“An unknown entity now has an NSA-level view into Americans’ lives,” Scott-Railton said. “Making matters worse, it looks like some of the data has cell site information. That means broad stroke location information that can be translated into intelligence about peoples’ locations and movements.”
Rachel Tobac CEO of SocialProof Security and a CISA Technical Advisory Council member said, “This AT&T breach will massively disrupt everyday folks, celebrities, politicians, activists… The breach includes numbers called/texted & amount of call/text interactions, call length, & some people had cell site id numbers leaked (which leaks the approximate location of user).”
This breach links of sensitive political, business, and Interpersonal interactions and increases the risks of social engineering, extortion, phishing attacks via call, email, text, and Social Media, Tobac said in a LinkedIn post.
“I’m still angry about it and I’m not even in it,” said Runa Sandvik, Founder of Granitt, a company that focusses on securing journalists and at-risk people around the world. “If telcos can’t protect against breaches, they should focus on holding less data; encrypting what they do have; and keeping that data safe.”
“Big breaches must come with big dollar consequences.” – John Scott-Railton
Scott-Railton shared similar views. He said that Americans have grown numb to breach notifications. “The AT&T breach is so bad it should wake everyone up. Unless big telcos face massive financial penalties for these mega breaches, they will continue.”
The share price of AT&T barely saw any impact of the breach disclosure to which Scott-Railton seemed disappointed. “For an absolutely unprecedented, historic breach of customer data, if the market won’t punish telcos for being reckless with our data, regulators and the FCC must,” he said.
The FCC on X said, “We have an ongoing investigation into the AT&T breach and we’re coordinating with our law enforcement partners.”
AT&T plans to notify impacted customers and offer resources to safeguard their information. This incident underscores the critical need for robust cloud security measures and highlights the expanding threat landscape for the telecommunication industry.
The lack of call content or PII might be a saving grace, but the potential for identity theft and targeted attacks using phone numbers and the possible location data persists. Security professionals will be keenly interested in learning more about the attack methodology and the specific cloud platform vulnerability exploited.
*Update July 13, 6:35 a.m.: Added expert comments and details on the arrested individual’s identity.
