AT&T disclosed a massive data breach today that impacts “nearly all” its customers call and text records. The hackers gained unauthorized access to a third-party cloud platform containing this data, which an AT&T spokesperson confirmed to The Cyber Express is Snowflake.
The incident, discovered in April, impacts a vast swathe of AT&T’s mobile and landline customers, raising concerns about potential identity theft and targeted attacks. However, a spokesperson for AT&T told The Cyber Express:
“This was aggregated metadata, not the content of calls or texts, nor was it social security numbers or credit card information. This incident took place outside of our network. Our systems were not breached.”
According to AT&T, the compromised data spans May 1 to October 31, 2022, for most customers, with a limited number affected from January 2nd, 2023. While the data doesn’t include call and text content, Social Security numbers, or other personally identifiable information (PII), it does contain phone numbers and, for some records, cellular site location details.
“Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, as well as AT&T’s landline customers who interacted with those cellular numbers.”
Security analysts warn that phone numbers, coupled with publicly available online tools, can be used to identify individuals, AT&T said. Though the telecom giant assures the data isn’t publicly available currently, the potential for future exposure remains a significant risk.
AT&T Data Breach Tied to Larger Snowflake Breach
Details regarding the attackers or their motivations are not yet clear, however, an AT&T spokesperson told TCE the access point for the breach was through cloud platform Snowflake.
Snowflake is currently at the center of probably the biggest and most high profile breaches, including Ticketmaster, Santander, Advanced Auto Parts, Pure Storage, and Neiman Marcus, among others.
In June, cybersecurity company Mandiant said it had found 165 of Snowflake customers’ credentials exposed by infostealer malware since 2020. Infostealers typically harvest credentials from infected machines, including usernames and passwords but also authentication tokens and cookies. Many of these credentials are then put out for sale on dark web forums from a few tens to thousands of dollars.
Snowflake did not immediately respond for comment request but in May the company’s CISO Brad Jones had said, “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,†attributing the breaches to poor credential hygiene in customer accounts instead.
Since then, Snowflake has taken several measures to refine it security posture including the establishment of a Trust Center and enabling Snowflake admins to make multifactor authentication (MFA) mandatory.
One Arrested in Relation to the AT&T Data Breach
The telecom giant has enlisted cybersecurity experts to investigate the intrusion and partnered with law enforcement, the company confirmed in an 8-K filing with the U.S. Securities and Exchange Commission.
“AT&T is working with law enforcement in its efforts to arrest those involved in the incident. Based on information available to AT&T, it understands that at least one person has been apprehended.”
AT&T plans to notify impacted customers and offer resources to safeguard their information. This incident underscores the critical need for robust cloud security measures and highlights the expanding threat landscape for the telecommunication industry.
The lack of call content or PII might be a saving grace, but the potential for identity theft and targeted attacks using phone numbers persists. Security professionals will be keenly interested in learning more about the attack methodology and the specific cloud platform vulnerability exploited.
Source: Read More
