AT&T Breach Compromised Millions of Call Records – Spiceworks News and Insights

• A massive data breach exposed the call and text records of millions of AT&T customers in the US.
• The breach exposed both cellular and landline users. However, it did not reveal data such as the content of calls or texts and personal information.
• The company has allegedly paid the hackers over $370,000 to delete the stolen information.

AT&T, one of the largest telecom companies in the US, has become a victim of a massive data breach that compromised the call and text records of almost all its customers. The leak reportedly occurred by exploiting a vulnerability in the Snowflake cloud platform, which the telecom giant used.

The flaw was leveraged to exfiltrate records from 2022 and 2023. While the breach did not contain information such as the user’s personal information or the content of the calls and messages, the stolen data could still be used to trace users or glean information about private communications.

See More: Snowflake Implements Mandatory MFA Following Major Data Breach

How the Breach Occured

The breach occurred due to a flaw in the Snowflake cloud platform used by AT&T to store customer information. AT&T estimated that the breach affected around 109 million customer accounts. This also includes mobile virtual network operators (MVNOs) and customers who interacted with AT&T landline users during the breach.

The data breach occurred over several months of 2022, specifically from May 1 to October 31. The illegal access was detected earlier this year, leading to an investigation and subsequent disclosure on July 12, 2024. AT&T delayed public disclosure to comply with security protocols and coordinate with law enforcement​.

The implications of the breach are thought to extend beyond essential personal data privacy. Experts are worried about the national security risks posed by such a large-scale theft of telecommunications data. Call records could be used to reveal communication patterns, which could be leveraged by foreign intelligence services.

Responses to the Incident

AT&T has stated that it has closed access to the vulnerability and has engaged cybersecurity professionals and law enforcement to assist with the investigation. The company has allegedly paid hackers from the notorious ShinyHunters hacking group $370,000 to delete the stolen data, reassuring its customers that it was not publicly available. The company has also stated that an individual has been apprehended for the act.

Snowflake, the cloud platform hit by the breach, has been cooperating with law enforcement and AT&T to fix the issue. The company is likely to review its safety protocols to prevent future incidents. The impact on Snowflake was notable, with its shares experiencing a decline following the breach announcement, reflecting market concerns about cloud security.

The FBI (Federal Bureau of Investigation) and the DoJ (Department of Justice) are involved in the investigation and have delayed disclosing the breach to minimize national and public safety risks. The Federal Communications Commission (FCC) has also launched a probe into the incident.

Privacy advocates have expressed concern over the breach, highlighting the potential misuse of the exposed data. Experts have warned that even without direct personal information, the data can be exploited to trace and create profiles of individuals, leading to privacy invasions​.

Nick Tausek, lead security automation architect at Swimlane, stated, “Today, AT&T has confirmed the breach involving six months of data containing call and text message records of “nearly all” of its customers. AT&T is sending notifications to around 110 million customers. This breach carries significant implications for data security. This is not the first breach AT&T has disclosed this year.

Telecommunication companies, with their vast troves of sensitive data and customer information, must view this incident as a stark reminder that proactive cybersecurity measures are essential. More than relying on reactive tools is required. A layered security strategy including incident detection, response, and prioritizing visibility across the entire IT infrastructure is crucial for securing the SOC.”

Dr. Katie Paxton-Fear, security researcher at Traceable AI, also spoke about the incident:

“This attack and other Snowflake breaches we’ve seen in the past few weeks really demonstrate how much damage third-party breaches can do. When you put your and your customer’s trust in a third party, you implicitly link their brand to your own. It is essential to vet your vendors’ security and ensure they have appropriate incident response plans before you onboard any new vendors. They will alert you of data breaches.

This is particularly true for integrations like this, where your third-party tool automatically gets data from your systems, highlighting how vital monitoring network and API traffic is.”

Jim Routh, chief trust officer at Saviynt, commented: “The bulk of the records breached in this incident include metadata about calls made in 2022 and no highly sensitive customer data. Direct marketing organizations commonly use this information to improve targeting and the potential of digital consumer annoyance. Though it did not include customer credential information, it is another example of the need for enterprises to invest in redesigning third-party governance models specific to credential management.’

The breach will likely put other telecommunications companies on high alert, with expected reevaluations of security measures and cloud service agreements. The incident could also lead to industry-wide cybersecurity regulations and best practice changes.

New Developments

Over the weekend, AT&T was reported to have continued to notify affected customers about the breach and provide additional support services and security measures. As authorities continue their investigations, more details are expected to be released.

AT&T’s decision to pay the hackers has been met with mixed reactions, with some criticizing the move as incentivizing further attacks. Kevin Robertson, COO of Acumen Cyber, said: “This is a concerning update from AT&T, and the reports it paid criminals highlights the perilous position businesses find themselves in when their data ends up in the hands of hackers.

Even massive enterprises see no other option than to pay criminals; it’s not just small businesses that have to make these dangerous decisions. But, even despite this, paying criminals to delete data is always inadvisable. There are no guarantees they will stick to their word, so this doesn’t mean AT&T customers are now in the clear. The data compromised could be used to carry out fraud, so anyone who receives a breach notification must use caution online.

More positively, Snowflake has recently announced an update to its platform where admins can now make MFA (multi-factor authentication) for their users. This will provide a significant security boost against incidents like these in the future.”

Nevertheless, the priority remains on protecting customer data and preventing future incidents. The full impact of the incident will likely be uncovered in the coming months as investigations continue and affected customers push for redressal.

Takeaways

The data breach highlights the growing challenges of cybersecurity and the risks associated with reliance on cloud platforms. The complexity of detecting and investigating breaches has risen sharply​. Companies and customers need to be aware of data protection practices and robust security measures.

LATEST NEWS STORIES