AT&T, a leading U.S. telecommunications giant, has disclosed a data breach affecting millions of its customers. The breach, which occurred between May 1, 2022, and October 31, 2022, involved the unauthorized access and theft of call and text-message records. This article provides a detailed analysis of the breach, its implications, and the steps AT&T and Snowflake, the cloud platform involved, are taking in response.
Details of the Breach
AT&T confirmed that the breach compromised the phone records of "nearly all" its customers, including both cellular and landline users. The compromised data includes phone numbers, call and text message logs, and cell site IDs. Notably, the content of the calls and texts was not accessed, but metadata such as who contacted whom, the duration of calls, and the total number of calls and texts were included. This metadata can reveal significant information about user interactions and approximate locations.
The breach also affected customers of other carriers that rely on AT&T's network. In total, approximately 110 million AT&T customers will be notified about the breach. Some of the compromised records are more recent, dating from January 2, 2023, although the exact number of these cases is unspecified.
Source of the Breach: Snowflake
The breach was linked to Snowflake, a cloud data platform that AT&T and other companies use to analyze large amounts of customer data. The breach was part of a broader spate of data thefts targeting Snowflake's customers. The data was stolen due to the absence of enforced multi-factor authentication (MFA) on Snowflake accounts, a security lapse that Snowflake attributed to its customers.
Snowflake's Chief Information Officer, Brad Jones, stated that investigations by cybersecurity firms Mandiant and CrowdStrike found no evidence of a vulnerability, misconfiguration, or breach of Snowflake’s platform itself. Mandiant identified the cybercriminal group UNC5537 as the perpetrator, describing them as financially motivated with members in North America and Turkey.
Response and Mitigation Efforts
Upon discovering the breach on April 19, AT&T reported the incident to the FBI and the Department of Justice (DOJ). The authorities agreed to delay public notification twice due to potential national security and public safety risks. The FBI verified that it is working with AT&T to enhance investigative efforts and manage the incident response. At least one individual has been apprehended in connection with the breach, though they were not an AT&T employee.
AT&T has taken additional cybersecurity measures to close off the point of unlawful access and is working closely with law enforcement to apprehend the cybercriminals involved. The company has assured customers that their names, Social Security numbers, and credit card information were not compromised. However, AT&T cautioned that phone numbers could be linked to individuals through online tools.
Previous Incidents and Broader Implications
This breach marks AT&T's second significant security incident this year. In March, the company had to reset the account passcodes of millions of customers after encrypted passcodes were leaked on a cybercrime forum. In February, a technical malfunction led to a significant cellphone outage, impacting over 1.7 million customers.
The recurring security issues highlight the challenges and responsibilities that come with being one of America's leading wireless carriers. AT&T's network supports approximately 127 million connected devices, including 87 million postpaid wireless subscribers, making it a prime target for cyberattacks.