AT&T building showing data breach of customer records

Massive AT&T Data Breach Compromises “Nearly All” Customer Records From May to October 2022

A bad year for cybersecurity at AT&T has gotten even worse with the news that a data breach in April of this year allowed hackers to steal about 110 million customer records, which totals nearly all of its subscribers in the United States.

The breach seems to be limited to files dating from May 1 to October 31, 2022, but at minimum “nearly anyone” with an AT&T account during that time appears to be impacted. The company says that a “smaller amount” of customer data from January 2, 2023 was also taken. Records of calls and texts were taken, and the data breach may be an offshoot of the ongoing fallout from the Snowflake storage compromise that took place in April.

Customer records do not include personal information or communications

The stolen data does not include sensitive or personally identifying information for AT&T customers, but does provide a list of all numbers that customer mobile numbers interacted with during the impacted time periods. The customer records include the number of times customers interacted with each phone number and the duration of individual calls. International calls were not included in these logs, with the exception of calls to Canada.

AT&T says that it does not believe the customer records are publicly available, but security researchers have linked it to the Snowflake breach of April 2024. Snowflake is a cloud storage service popular with major companies that need to host massive amounts of data, and its compromise has led to downstream data breaches of other major companies including Ticketmaster and Neiman Marcus. There is still some mystery surrounding the overall circumstances of the Snowflake breach, but the hacking group “ShinyHunters” has been active in attempting to extort some of these companies with threats to leak the stolen goods to the dark web if not paid a ransom. Security firm Mandiant has pinned the attack on an as-of-yet-unnamed threat actor it is calling “UNC5537,” which it says is a private criminal group seeking profits.

While personal information was not attached to the customer records, AT&T has warned impacted subscribers that there are publicly available tools that can link a phone number to its owners name. An “undisclosed subset” of the records included in the data breach also contained one or more cell site identification numbers linked to the calls and texts, which could be used to reveal a number’s general geographic location; this subset may have been limited to customers still using 3G connections.

AT&T says that it discovered the data breach on April 19 and immediately hired a third party security firm to investigate, which found that the customer records had been exfiltrated from April 14 to April 25. While the risk may initially appear low, the records could be used to inform targeted phishing attacks if they make it out into the wild. Hackers might also identify people attempting to keep their identity from the public, such as law enforcement or federal agents, or could trawl through numbers looking for potential extortion possibilities. The company is not offering customers identity theft protection at this time.

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, elaborates on the potential risk to AT&T customers: “The inclusion of cell site identification numbers in the stolen data is particularly alarming, as it could potentially allow for the triangulation of users’ locations. This adds a physical dimension to the already extensive privacy violation and could expose individuals to highly targeted and convincing social engineering attacks, not to mention compromising the physical security of individuals, such as those trying to escape abusive relationships. The stolen metadata, while perhaps not immediately recognized as sensitive, can paint a detailed picture of an individual’s daily life, habits, and associations, making it a valuable asset for those with malicious intent. The long-term impact of this breach cannot be overstated. The exposed data could be exploited for sophisticated phishing attempts, identity theft, and other nefarious activities for years to come. It is a stark reminder that the repercussions of a data breach extend far beyond the initial incident and can have lasting consequences for the affected individuals.”

Data breach follows major AT&T leak to start 2024

This is the second major data breach for AT&T in 2024, following an incident first reported in early April that is thought to have involved the records of 73 million current and former customers. This breach contained customer records from 2019 and earlier but also contained an array of sensitive information: Social Security numbers, full contact information, dates of birth, and encrypted PIN passcodes used to secure AT&T accounts.

AT&T has said that it believes at least one person involved in the more recent data breach is in custody, though the FBI has not yet publicly commented on the investigation. That information comes from a mandatory SEC disclosure that broke new ground in being the first in which the Justice Department ordered a company to delay filing due to possible public safety or national security concerns.

The development is also another chapter in the unfolding Snowflake story, which is shaping up to be an ongoing data breach to rival the MOVEit incident of roughly one year ago. The scale appears to be smaller, at an estimated 165 companies impacted by the Snowflake hack versus what ultimately expanded to 2,300 in total from the MOVEit breach. But the amount of people impacted in terms of exposed personal data is already greater, with breaches such as Ticketmaster and this one each involving hundreds of millions of stolen customer records.

Jason Soroko, Senior Vice President of Product at Sectigo, notes that Snowflake customers should take extra security steps even if they have not been specifically contacted about a breach: “Companies using Snowflake should immediately implement multi-factor authentication (MFA) to enhance security and protect sensitive data. MFA provides an additional layer of defense against unauthorized access, significantly reducing the risk of breaches. This is true, not just for Snowflake, but anyone using a third party service via an authenticated session, that authentication needs to be using a credential stronger than just username and password.”

Darren Guccione, CEO and Co-Founder at Keeper Security, sees this as yet another prompt for the implementation of zero trust architecture across large businesses: “This breach is also a wakeup call for organizations to reevaluate their cybersecurity strategies, emphasizing proactive measures over reactive responses. As cyber threats evolve, organizations must prioritize protecting customer data. Today, identity applications require both authentication and end-to-end encryption to provide robust cybersecurity protection. Cybersecurity technologies protecting these environments must cover every user, on every device, from every location. Data shows the human element is far more difficult to protect, and often, the most error-prone element of the attack chain, therefore, organizations should focus on implementing zero-trust security architecture and a policy of least-access to prevent unauthorized privilege escalation and ensure strict enforcement of user access roles. A Privileged Access Management (PAM) platform is essential for managing and securing privileged credentials, ensuring least privilege access and preventing lateral movement in the event of a breach. Robust threat intelligence, continuous monitoring and rapid incident response are also critical. Companies should have security event monitoring to detect and analyze privilege escalations, enabling the detection and blocking of anomalous behavior.”

Sean Deuby, Principal Technologist, Semperis, notes that telecoms and health care organizations have become particularly heavily targeted: “Unfortunately, persistent threat actors are successfully targeting critical infrastructure organizations in the telecommunications and healthcare industries, looking for gaps in their security architecture until they find a weak spot and steal whatever they want. What is highly likely in all breaches is that the criminals will compromise an organization’s identity system, such as Active Directory or Entra ID, the directory services developed by Microsoft that allows IT administrators to manage computers, devices, and employee accounts on a network, because the vast majority of attacks use these systems as a well-paved pathway to their target. This provides hackers with access to a treasure trove of personally identifiable information on employees, customers, business strategies and other sensitive information. Organizations need to have an assumed breach mindset because threat actors will eventually breach most of their targets if they’re persistent enough. It’s not just a risk; it’s a probability. Having a backup and recovery plan in place is an essential part of improving operational resiliency. And preparing in peacetime is the key: in cases of ransomware, if you find out about the attack because you’ve received a ransom note, it’s too late. Mature IT organizations plan for, document, and rehearse scheduled systems maintenance; why wouldn’t you devote more effort to a widespread cyberattack? You can’t just pay your way out of ransomware and hope that the wolves won’t circle back to you.”