AT&T, a US telecommunications company, has verified that cybercriminals successfully breached data related to “almost all” of its mobile clients as well as those of mobile virtual network operators (MVNOs) utilizing AT&T’s wireless network.
The company mentioned that the unauthorized access occurred in an AT&T workspace on a third-party cloud platform. The breach lasted from April 14 to April 25, 2024, and involved the extraction of files containing customer call and text records for specific durations in 2022 and 2023.
The compromised data includes telephone numbers connected to AT&T and MVNO wireless accounts, details of interactions with those numbers, and collective call duration metrics. Additionally, certain records contained GSM Cell ID numbers, potentially enabling the perpetrators to determine the rough location of a customer during a phone call or text exchange. AT&T promised to notify current and former customers if their data was part of the breach.
According to Jake Williams, an ex-NSA hacker and IANS Research faculty, the attackers leveraged previously obtained data to link phone numbers with identities. The stolen information essentially comprises call data records (CDR) – valuable for intelligence analysis as they reveal communication patterns between individuals.
AT&T’s list of MVNOs encompasses various providers like Black Wireless, Cricket Wireless, and TracFone Wireless. Although AT&T did not disclose the cloud provider, Snowflake confirmed its involvement in the breach that affected several other companies like Ticketmaster and Santander, as reported by Bloomberg.
The company detected the breach on April 19, 2024, and promptly initiated a response. It’s collaborating with law enforcement to apprehend the perpetrators, with at least one arrest already made.
404 Media reported that John Binns, a 24-year-old American citizen, is associated with the incident. Binns, previously apprehended in Turkey in May 2024, is tied to the T-Mobile intrusion in 2021 where customer data was compromised.
However, AT&T assured that the accessed data does not contain call content, personal information like Social Security numbers or birth dates. The company clarified in a filing with the SEC that while customer names are absent, they could potentially be linked to phone numbers using online tools.
AT&T recommends vigilant monitoring for scams and fraudulent activities, suggesting users only open messages from trusted sources. Customers can also request the details of their calls and texts from the illicitly obtained data.
The ongoing malevolent cyber campaign targeting Snowflake has impacted 165 customers, with Mandiant tracing it to a financially motivated threat group identified as UNC5537. This group operates with members in North America and a collaborator in Turkey.
The hackers are now demanding ransoms ranging from $300,000 to $5 million for the compromised data. The situation is expanding, as evidenced by cascading effects from the criminal activity.
Recently, WIRED revealed how the hackers obtained stolen credentials from Snowflake via dark web services, including access through a third-party contractor named EPAM Systems.
Snowflake has taken steps to enhance security, announcing the enforcement of mandatory multi-factor authentication (MFA) for all users, with plans to extend this requirement to all new accounts in the near future.
About Author
