AT&T last week revealed a massive data breach involving call and text records logged from the vast majority of its mobile customers, with the incidents occurring between May and October 2022, and then again on Jan. 2, 2023.
Impact: This security breach, first discovered in April, affected “nearly all” AT&T wireless customers, including subscribers to MVNOs that use AT&T’s network. That means Cricket, Boost Mobile, and Consumer Cellular customers were also impacted, as were AT&T landline customers who interacted with any of the stolen cellular numbers and customers of other carriers who interacted with AT&T numbers within the theft window. A smaller one-day attack in early January 2023 further hacked records from a “very small number” of customers. AT&T reported that the breach has been traced to “threat actors” infiltrating a workspace on data cloud partner Snowflake’s platform that housed a copy of this data , which AT&T had been using for business analysis. It’s not yet clear why it took so long for the breach to be detected, and AT&T hasn’t addressed that in any of its statements. But other companies, including Ticketmaster and LendingTree, have also reported significant thefts of data hosted by Snowflake, so it’s possible it took the vendor that long to discover the issue. Snowflake placed the blame for the thefts on its customers for not using multi-factor authentication to secure their data on its platform.
The stolen data, characterized by AT&T as “aggregated metadata,” identified wireless or landline telephone numbers that the affected customers called or texted, as well as counts of calls and texts and total call durations within the specific time periods when the hacking occurred. The compromised data did not include the content or time stamps of any communications or involve customers’ social security numbers or other personally identifiable information. However, some of the data included cell site identification numbers, which could be used to geolocate the caller. Of course, as AT&T pointed out (and we all know), linking a name to a telephone number doesn’t present much of a challenge. AT&T was quick to assure its customers and the public that it has plugged the leak and is working with law enforcement to apprehend the hackers. Nor does AT&T believe at this time that the stolen data is publicly available. TechCrunch reported AT&T plans to notify approximately 110 million of its current and former customers about the breach. The publication also said that one person already has been arrested in relation to the hack. More recently, TheVerge reported that AT&T gave the hackers $370,000 (down from the $1 million originally requested) through an paid intermediary to delete the information, with Wired reporting that the hackers supplied a video proving the data had in fact been destroyed.
In a regulatory filing to the Securities and Exchange Commission, AT&T indicated that it became aware of the data breach on April 19 but delayed notifying customers and the public on two separate occasions in May and June in cooperation with the FBI and the Department of Justice. The delays reportedly involved concerns about “potential risks to national security and/or public safety.” That’s because according to industry security analysts, this breach poses dual threats to national security and individual consumers. Hostile governments could use the stolen data to pinpoint who works in sensitive locations, then build profiles about their contacts, potentially exposing covert communications networks. Cyber criminals also could impersonate customers’ banks, credit card companies, or other contacts to make phishing attempts more credible, with at least one analyst describing the theft to NBC as a “megabreach.” The FCC also has joined the investigation.
So far, 2024 has not been kind to AT&T. In February, a prolonged national outage prompted the company to issue $5 compensatory refunds to inconvenienced customers to the tune of an estimated $140 million. Then in March, a data breach resulted in Social Security numbers and other personally identifiable information of 7.6 million current and 65.4 million former subscribers being leaked to the “dark web.” NBC also reported comments from Sen. Ron Wyden (D-OR), who excoriated AT&T and the telecom industry for the ongoing leaks and called for the FCC to start holding carriers responsible for their cybersecurity lapses to the tune of billion-dollar fines. But at this point, it seems difficult for any company that collects customer information to stay ahead of bad actors constantly finding new ways to steal personal data.