AT&T customer data downloaded in massive security breach

Approximately 109 million customer accounts were impacted

(Mark Lennihan / AP Photo)

The telecommunications giant AT&T said Friday that the data of nearly all its customers was downloaded to a third-party platform in a security breach. Cyberattacks against small and large businesses, schools and health systems continue to spread worldwide.

The security breach, which mainly occurred over five months in 2022, affected AT&T’s cellular customers, customers of mobile virtual network operators using AT&T’s wireless network, and landline customers who interacted with those cellular numbers.

Advertisements

According to AT&T, the breach impacted approximately 109 million customer accounts. The company believes the data has yet to become publicly available.

“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information,” AT&T said Friday.

The company said that the compromised data also does not include some information typically seen in usage details, such as the time stamp of calls or texts or customer names. AT&T, however, said that there are often ways to use publicly available online tools to find the name associated with a specific telephone number.

Cyber security experts concurred that such data can be used to trace users.

“While the exposed information doesn’t have sensitive information, it can be used to piece together events and who may call who. This could impact people’s private lives as private calls and connections could be exposed,” Thomas Richards, principal consultant at Synopsys Software Integrity Group, said in an emailed statement. “The business phone numbers will be easy to identify, and private numbers can be matched to names with public record searches.”

An internal investigation determined that compromised data includes AT&T records of calls and texts between May 1, 2022, and Oct. 31, 2022.

AT&T identified the third-party platform as Snowflake and said the incident was limited to an AT&T workspace on the cloud company’s platform and did not impact its network.

AT&T’s investigation is ongoing, and it has engaged with cybersecurity experts to understand the nature and scope of the criminal breach. According to the company, at least one person has been apprehended.

Compromised data includes a few customers’ records from Jan. 2, 2023. The records identify the telephone numbers as AT&T or MVNO cellular numbers interacted with during these periods. A subset of records includes one or more cell site identification number(s) associated with the interactions.

The Federal Bureau of Investigation said it has worked collaboratively with AT&T and the Justice Department “through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and assist AT&T’s incident response work.”

In an email, Aaron Walton, threat intel analyst at Expel, said the attack on AT&T is part of a series of possible breaches due to “weak security controls around data storage.”

“Enabling multi-factor authentication (MFA) for the accounts could have mitigated the breach in many cases or made them substantially more difficult to carry out,” Walton said.

The Department of Justice said Friday it became aware of the breach early this year but met the security standard for a delayed filing by AT&T with the U.S. Securities & Exchange Commission. This filing was made public Friday.

The DOJ said an earlier breach disclosure would “pose a substantial risk to national security and public safety.”

Several major data breaches, including an earlier attack on AT&T, have already marked the year. In March, AT&T said that a dataset on the “dark web” contained information such as Social Security numbers for about 7.6 million current AT&T account holders and 65.4 million former account holders.

Some auto dealerships still use pens and paper to close deals after a company that supplies them with software was attacked twice last month. CDK Global is still attempting to reestablish normal operations after the breach.

Cybersecurity experts warn that hospital systems around the country, which have already been targeted, are at risk for more attacks and that the United States government is doing too little to prevent breaches of this magnitude.

AT&T customers can visit att.com/DataIncident for more information. Shares of AT&T Inc. fell slightly on Friday.