AT&T suffered a massive breach that affected tens of millions of its mobile customers in a cyber incident caused by an illegal download from a third party cloud provider, allegedly, data cloud giant Snowflake. AT&T disclosed the data breach in a filing with the Securities and Exchange Commission.
The wireless carrier serves more than 100 million customers in the United States, and it acknowledged in a July 12 statement that the compromised data includes files containing AT&T records of calls and texts of “nearly all” of AT&T’s cellular customers.
AT&T also said the breach affected customers of mobile virtual network operators using AT&T’s wireless network, and AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022, and Oct. 31, 2022.
“There’s no business too big or security environment too advanced for threat actors to target,” Dan Schiappa, Artic Wolf chief product and services officer told MSSP Alert in an email. “Attacks on mega-corporations like AT&T and Ticketmaster provide attackers with the opportunity to command a large ransom sum with the stolen data, whether they sell it on the dark web or to American adversaries.”
Attack Timeline: ATT Data Breach
Once it learned of the breach on April 19, AT&T said it launched an investigation and hired leading cybersecurity experts to understand the nature and scope of the incident. The company said it has taken steps to close off the illegal access point and was working closely with law enforcement, pointing out that at least one person has been apprehended. AT&T also noted that the most recent breach was unrelated to the breach in experienced this past spring.
At this time, AT&T said it does not believe the data is publicly available. The company also said in a letter to customers that the data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. It also does not include some typical information users would see in usage details, such as the time stamp of calls or texts.
Incident Linked to Recent Snowflake Breaches
AT&T’s spokesperson Andrea Hugely reportedly told Tech Crunch that the most recent compromise of customer records were stolen from Snowflake during the recent flurry of incidents the cloud data company experienced. The telecom giant confirmed to SC Media that the data breach occurred outside of its network via cloud IT service provider Snowflake.
In a statement regarding the AT&T attack, a Snowflake spokesperson said: "We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,"and added that this has also been verified following investigations with third-party cybersecurity experts Mandiant and CrowdStrike.
Still, organizations using Snowflake are advised to take precautions.
Jason Soroko, senior vice president of product at Sectigo, said that companies using Snowflake should immediately implement multi-factor authentication (MFA) to enhance security and protect sensitive data. Soroko said MFA provides an additional layer of defense against unauthorized access, significantly reducing the risk of breaches.
“This is true, not just for Snowflake, but anyone using a third-party service via an authenticated session, that authentication needs to be using a credential stronger than just a username and password.”
Darren Guccione, co-founder and CEO at Keeper Security, said AT&T’s latest announcement revealing another major data breach is a painful, second blow to the millions of customers who have already lost trust after having their private information exposed by the company earlier this year. Guccione said although the leaked phone records do not contain the contents of calls and text messages, they do provide records of who customers interacted with, and some include identification numbers that could help bad actors determine where calls were made and texts were sent.
“The disclosure of this information — following the leak of Social Security numbers, names, email and mailing addresses, phone numbers, dates of birth, account numbers and passcodes — is a clear violation of personal privacy and trust,” said Guccione. “These massive breaches, affecting millions of customers, underscore the persistent and evolving threats to digital security, and why everyone must take concrete, proactive steps to safeguard their own sensitive information.”
Ted Miracco, chief executive officer at Approov, added that despite AT&T's reassurances that sensitive data such as Social Security numbers were not compromised, the stolen metadata alone can be highly damaging. Miracco said cybercriminals can use call and text logs, even without content, for various malicious purposes, including targeted attacks and identity theft or to piece together patterns of behavior, relationships, and possibly even to approximate locations through cell site information.
“Such data can facilitate further targeted smishing attacks or be sold on the dark web to other malicious actors,” said Miracco. “The sheer volume of internet traffic from mobile devices makes them highly attractive targets for hackers. With mobile devices accounting for more than half of global web traffic, any breach can provide vast amounts of valuable data.”
Mobile devices are one of the primary targets for attackers to compromise credentials, but are often overlooked by companies as part of their security strategies, said Zimperium's Kern Smith.
"As part of a comprehensive security strategy, organizations must ensure that both they and their vendors' mobile devices are protected from these attacks," said Smith, who is vice president for the Americas at Zimperium.
This story is based on one originally published by SCMedia. Read the complete story here.