AT&T Corporation revealed today that a recent data breach has compromised call and text message logs for approximately 110 million individuals — virtually all of its clientele. AT&T explained that they withheld information about the breach due to “matters of national security and public welfare,” citing that some of the data contained details that could indicate the origin of a call or message. AT&T further admitted that the customer records were exposed in a cloud-based database that only required a username and password for access (without the need for multi-factor authentication).
In a filing to the U.S. Securities and Exchange Commission today, AT&T disclosed that cyber attackers infiltrated an AT&T workspace on a third-party cloud service in April and downloaded files containing customer call and text communications from May 1 to October 31, 2022, as well as on January 2, 2023.
The company emphasized that the stolen data includes logs of calls and texts for mobile service providers that resell AT&T’s services, but does not contain the actual content of the conversations, Social Security numbers, birth dates, or any other personally identifiable information.
Nevertheless, a subset of the compromised records included details about the proximity of cellular communications towers near the user, information that could be utilized to estimate the general location of the customer’s device making or receiving those calls or messages.
“Even though customer names are not present in the dataset, it is possible, through publicly available online tools, to link a telephone number with a specific individual,” AT&T mentioned.
AT&T stated that they became aware of the breach on April 19 but chose to delay public notification at the request of federal authorities. According to the company’s SEC filing, at least one person has been apprehended by law enforcement in connection with the breach.
In an official statement provided to KrebsOnSecurity, the FBI confirmed their instruction to AT&T to postpone informing affected customers.
“Following the identification of a potential data breach and before determining its significance, AT&T reached out to the FBI to report the incident,” per the FBI statement. “Upon evaluating the breach’s nature, all parties discussed the potential postponement of public disclosure under Item 1.05(c) of the SEC rule due to probable risks to national security or public welfare. AT&T, FBI, and DOJ collaborated during the delay process, sharing crucial threat intelligence to enhance FBI investigative interests and support AT&T’s response to the incident.”
Techcrunch cited an AT&T spokesperson mentioning that the customer data was pilfered as part of an ongoing data breach involving over 160 customers of the cloud service provider Snowflake.
Earlier this year, malevolent intruders discovered that numerous major organizations had uploaded extensive amounts of valuable and sensitive customer data onto Snowflake servers, yet had only secured those accounts with basic login credentials.
Per Wired’s report last month, the hackers behind the Snowflake data pilferage acquired stolen credentials from the dark web, where services vend access to usernames, passwords, and authentication tokens obtained by malware. Snowflake has since mandated the use of multi-factor authentication for all new clients.
Various other entities with millions of customer records exposed from Snowflake servers include Advance Auto Parts, Allstate, Anheuser-Busch, Los Angeles Unified, Mitsubishi, Neiman Marcus, Pure Storage, Santander Bank, State Farm, and Ticketmaster.
Earlier this year, AT&T reset passwords for millions of clients after acknowledging a data breach dating back to 2018 affecting around 7.6 million existing AT&T account holders and approximately 65.4 million former account holders.
Mark Burnett, an application security specialist, consultant, and writer, highlighted that the sole purpose of the stolen data from the recent AT&T breach is to discern who is communicating with whom and how frequently.
“The most concerning aspect of this AT&T breach involving ALL customer call and text records is that this isn’t one of their main databases; it is metadata about who is reaching out to whom,” wrote Burnett on Mastodon. “This raises questions about the possible applications of call logs without timestamps or names.”
It remains puzzling why many corporate entities persist in storing extensive sensitive customer information with minimal security safeguards. For instance, Advance Auto Parts announced that the exposed data included full names, Social Security numbers, driver’s licenses, and government-issued identification numbers for 2.3 million individuals who were former employees or job applicants.
This could be due to the lack of consequences beyond the customary class-action lawsuits that follow such incidents, as companies are not often held accountable for lax security measures. AT&T declared to the SEC that they do not anticipate this event to have a considerable impact on their financial status or operational outcomes. AT&T reported revenues of more than $30 billion in the last quarter.
About Author
