Breach Notification , Cybercrime , Fraud Management & Cybercrime

AT&T Details Massive Breach of Customers' Call and Text Logs

Data Stolen From Snowflake Account; Telco Likely to Notify 110 Million Individuals
AT&T Details Massive Breach of Customers' Call and Text Logs
Image: Shutterstock

Attackers have stolen logs of call and text interactions pertaining to nearly every one of AT&T's millions of wireless customers, the telecommunications giant warned Friday.

See Also: Supporting Malware Analysis at Scale

The Dallas-based company said in a data breach notification that the stolen data largely pertains to calls made over a six-month period in 2022. It said the data was "downloaded from our workspace on a third-party cloud platform" and has now "been secured."

Information pertaining to about 110 million customers appears to have been exposed.

AT&T is America's largest provider of fixed telephone services in the country, and one of the top three wireless telephony providers, based on subscribers. Spokeswoman Andrea Huguely told Information Security Media Group the data was stolen from its account with data warehousing platform Snowflake, as TechCrunch first reported (see: Victims of Snowflake Data Breach Receive Ransom Demands).

The FBI said AT&T immediately alerted it to the breach. An FBI spokesman told Information Security Media Group that the timely reporting and AT&T's continuing cooperation has been beneficial to the bureau's ongoing investigation.

The telco said the stolen data pertains to the period from May 1, 2022, to October 31, 2022, and includes records for both wireless service users as well as users of any wireline - aka landline - telephones who communicated with them.

"Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T's wireless customers and customers of mobile virtual network operators ('MVNO') using AT&T's wireless network," the company told investors via an 8-K filing Friday to the U.S. Securities and Exchange Commission.

"The call and text records identify the phone numbers with which an AT&T number interacted during this period, including AT&T landline (home phone) customers," and also include a per-day and per-month count of such calls as well as total talk time, it said. Some records also included cell site ID numbers, which could be used to identify the approximate geographic location of a cellular user.

AT&T said it believes the information was exfiltrated between April 14 and April 25 of this year.

Stolen data didn't include information such as a subscriber's name, birthdate or Social Security number, or time stamps for individuals calls, the company said. "While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number," it said.

The company is warning subscribers to beware suspicious texts or other attempts to scam them via their wireless number. Fraudsters could use the stolen data to facilitate phishing attacks, as well as for SMS phishing, aka smishing.

The company said it first learned of the breach on April 19, at which point it "immediately activated its incident response process to investigate and retained external cybersecurity experts to assist."

The SEC requires publicly traded firms to report all "material" cybersecurity incidents to investors via a Form 8-K within four days of determining it's material, except under certain circumstances.

AT&T said it's been assisting a law enforcement investigation into the breach and that on May 9 and again on June 5, the U.S. Department of Justice determined that "a delay in providing public disclosure was warranted" as it continued to probe the breach. "AT&T is now timely filing this report," the company said in its Friday 8-K filing.

"Based on information available to us, we understand that at least one person has been apprehended," the company said.

The FBI spokesman declined to comment on the arrest report but did confirm that the DOJ requested the public breach notification delay on the grounds that disclosing the breach earlier would "pose a substantial risk to national security and public safety, in accordance with the SEC's rules."

AT&T said its notifications to victims will be forthcoming. "If your account was affected by the event, we'll contact you by text, email or U.S. mail," it said.

The telco now joins the list of Snowflake customers who fell victim to a recent credential stuffing campaign. In a joint investigation conducted with Mandiant and CrowdStrike, Snowflake reported that attackers stole data from about 165 customers. This week, Automotive parts supplier Advance Auto Parts reported it's notifying 2.3 million individuals that their personal information, in some cases including Social Security numbers, was exposed via the breach of its Snowflake account. Other publicly named Snowflake customers who lost data include Santander Bank, luxury retailer Neiman Marcus, the Los Angeles Unified School District and Live Nation Entertainment's Ticketmaster.

Following the breach of customer accounts, Snowflake this week introduced additional security features, including giving account administrators the ability to enforce mandatory use of multifactor authentication for account access. Security experts have called on other cloud providers to follow suit (see: Multifactor Authentication Shouldn't Be Optional).

AT&T said its Snowflake breach is unrelated to an old tranche of data allegedly pertaining to 70 million AT&T customers, which was released in March for free on a hacking forum, three years after the prolific data leak gang ShinyHunters first advertised it for sale on the cybercrime underground.

"We have no indications of a compromise of our systems," an AT&T spokesman told Information Security Media Group in a statement in March (see: After 70M Individuals' Data Leaks, AT&T Denies Being Source).

"We determined in 2021 that the information offered on this online forum did not appear to have come from our systems," he said. "This appears to be the same dataset that has been recycled several times on this forum."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.