Massive AT&T Data Breach Impacts Nearly All Customers

A massive AT&T data breach has impacted nearly all of the telecom giant’s cellular customers, as well as non-customers on its network.

AT&T disclosed the breach on Friday. It’s working with law enforcement in its efforts to arrest those involved in the incident and says that at least one person has been apprehended.

AT&T said it discovered in April that customer data was illegally downloaded from its workspace on a third-party cloud platform. It launched an investigation, and engaged cybersecurity experts to understand the nature and scope of the criminal activity.

“Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T's cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T's wireless network, as well as AT&T's landline customers who interacted with those cellular numbers between May 1, 2022-October 31, 2022,” it said. “The compromised data also includes records from Jan. 2, 2023, for a very small number of customers. The records identify the telephone numbers an AT&T or MVNO cellular number interacted with during these periods. For a subset of records, one or more cell site identification number(s) associated with the interactions are also included.”

Related:Advance Auto Parts Data Breach Impacts Millions

The data doesn’t contain the content of calls or texts, personal information such as Social Security numbers, dates of birth or other personally identifiable information (PII), AT&T said. It also doesn’t include some typical information as the time stamp of calls or texts.

“While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” it said. “At this time, we do not believe that the data is publicly available.”

AT&T spokesperson Andrea Huguely told TechCrunch the third-party cloud platform from which the data was illegally downloaded is Snowflake and is part of a cyber threat campaign targeting Snowflake customers.

According to its 2023 annual report, there are 127 million connection to AT&T's wireless network.

Disclosure of AT&T Data Breach Delayed

In a filing with the U.S. Securities and Exchange Commission (SEC), AT&T said the U.S. Department of Justice determined that a delay in providing public disclosure was warranted.

“As of the date of this filing, this incident has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations,” it said.

Related:Prudential Data Breach Impacts More than 2.5 Million People

We couldn’t reach AT&T for further comment on the data breach.

Kern Smith, Zimperium’s Americas vice president, said mobile devices are one of the primary targets for attackers to compromise credentials, through phishing, malware, network or device exploits attacks, and are often overlooked by companies as part of their overall security strategy.

Zimperium's Kern Smith

“It is important that organizations ensure that both they and their vendors have appropriate security tooling in place to prevent credential compromises, which can be leveraged downstream for larger attacks and breaches,” he said. “As part of a comprehensive security strategy, organizations must ensure that both they and their vendor’s mobile devices are protected from these attacks.”

Thomas RIchards, principal consultant at Synopsys Software Integrity Group, said while the data exposed in the AT&T data breach doesn’t directly have sensitive information, it can be used to piece together events and who might be calling whom.

“This could impact people’s private lives as private calls and connections could be exposed,” he said. “The business phone numbers will be easy to identify and private numbers can be matched to names with public record searches.”

Social Engineering Attacks Likely

Javvad Malik, lead security awareness advocate at KnowBe4, said it’s “deeply concerning” that an organization of AT&T's stature and resources failed to detect such a massive breach for an extended period. The fact that the breach continued into early 2023 and affected not only AT&T's direct customers, but also those from other carriers using AT&T's network, “underscores the far-reaching consequences of such incidents."

KnowBe4's Javvad Malik

"The inclusion of cell site identification numbers in the stolen data is particularly alarming as it could potentially allow for the triangulation of users' locations,” he said. “This adds a physical dimension to the already extensive privacy violation, and could expose individuals to highly targeted and convincing social engineering attacks, not to mention compromising the physical security of individuals, such as those trying to escape abusive relationships. The stolen metadata, while perhaps not immediately recognized as sensitive, can paint a detailed picture of an individual's daily life, habits and associations, making it a valuable asset for those with malicious intent."

The long-term impact of this AT&T data breach cannot be overstated, Malik said.

“The exposed data could be exploited for sophisticated phishing attempts, identity theft and other nefarious activities for years to come,” he said. “It is a stark reminder that the repercussions of a data breach extend far beyond the initial incident and can have lasting consequences for the affected individuals."