AT&T Corp. disclosed today that a new data breach has exposed phone call and text message records for roughly 110 million people — nearly all of its customers. AT&T said it delayed disclosing the incident in response to “national security and public safety concerns,” noting that some of the records included data that could be used to determine where a call was made or text message sent. AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed).
In a regulatory filing with the U.S. Securities and Exchange Commission today, AT&T said cyber intruders accessed an AT&T workspace on a third-party cloud platform in April, downloading files containing customer call and text interactions between May 1 and October 31, 2022, as well as on January 2, 2023.
The company said the stolen data includes records of calls and texts for mobile providers that resell AT&T’s service, but that it does not include the content of calls or texts, Social Security numbers, dates of birth, or any other personally identifiable information.
However, the company said a subset of stolen records included information about the location of cellular communications towers closest to the subscriber, data that could be used to determine the approximate location of the customer device initiating or receiving those text messages or phone calls.
“While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” AT&T allowed.
AT&T’s said it learned of the breach on April 19, but delayed disclosing it at the request of federal investigators. The company’s SEC disclosure says at least one individual has been detained by the authorities in connection with the breach.
In a written statement shared with KrebsOnSecurity, the FBI confirmed that it asked AT&T to delay notifying affected customers.
“Shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident,” the FBI statement reads. “In assessing the nature of the breach, all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety. AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”
Techcrunch quoted an AT&T spokesperson saying the customer data was stolen as a result of a still-unfolding data breach involving more than 160 customers of the cloud data provider Snowflake.
Earlier this year, malicious hackers figured out that many major companies have uploaded massive amounts of valuable and sensitive customer data to Snowflake servers, all the while protecting those Snowflake accounts with little more than a username and password.
Wired reported last month how the hackers behind the Snowflake data thefts purchased stolen Snowflake credentials from dark web services that sell access to usernames, passwords and authentication tokens that are siphoned by information-stealing malware. For its part, Snowflake says it now requires all new customers to use multi-factor authentication.
Other companies with millions of customer records stolen from Snowflake servers include Advance Auto Parts, Allstate, Anheuser-Busch, Los Angeles Unified, Mitsubishi, Neiman Marcus, Pure Storage, Santander Bank, State Farm, and Ticketmaster.
Earlier this year, AT&T reset passwords for millions of customers after the company finally acknowledged a data breach from 2018 involving approximately 7.6 million current AT&T account holders and roughly 65.4 million former account holders.
Mark Burnett is an application security architect, consultant and author. Burnett said the only real use for the data stolen in the most recent AT&T breach is to know who is contacting whom and how many times.
“The most concerning thing to me about this AT&T breach of ALL customer call and text records is that this isn’t one of their main databases; it is metadata on who is contacting who,” Burnett wrote on Mastodon. “Which makes me wonder what would call logs without timestamps or names have been used for.”
It remains unclear why so many major corporations persist in the belief that it is somehow acceptable to store so much sensitive customer data with so few security protections. For example, Advance Auto Parts said the data exposed included full names, Social Security numbers, drivers licenses and government issued ID numbers on 2.3 million people who were former employees or job applicants.
That may be because, apart from the class-action lawsuits that invariably ensue after these breaches, there is little holding companies accountable for sloppy security practices. AT&T told the SEC it does not believe this incident is likely to materially impact AT&T’s financial condition or results of operations. AT&T reported revenues of more than $30 billion in its most recent quarter.
I have a theory that this call log was being used for a national security investigation. Otherwise why would this rise to the level of public safety/national security exemption?
You are correct Sir ! There is only one use case for the stolen data. Social Network Analysis. Remember “PRISM”? Someone was using A.I. tools to do it. Why would AT&T be doing Social Network Analysis on their clients call logs and locations. Outside of a marketing use case I don’t see the value. However, a government agency would have a use case for using Snowflake for Social Network Analysis. Maybe random hackers just happened to stumble into a government operation and stole the data and in the process they now have to cover it up. Or it was targeted. I’m more worried about the use case in play for the data in question before it was stolen.
The US government has their own servers.
alos the data itself is whats from 2022 and 2023, not the breach itself, it’s a specific time…
What was it on Snowflake for? Fast searching/processing? why wasn’t there more data?
There is a minor mistake in the article. In the 2nd last paragraph when it references Advance Auto Parts, it suggests the 2.3 million records are for job applicants. That is not what the bleeping computer article says. It says those relate to current and former employees or job applicants. Thanks
Thanks, Brian.
There are many ways to prevent brute force logins (repeated password guessing). Time-delays, filters, etc. There is no reason for any system to allow millions of failed password guesses. Which is how breaches like this happen (other than phishing).
The problem is, if you can steal a copy of the database and attack it offline, you can circumvent those protections.
True, if they got the Snowflake password database, it’s game over, with rare exceptions for highly encrypted databases.
I think it’s mis-direction to claim all those targeted usernames and passwords came from “information-stealing malware”. The corporations mentioned in this article have millions of employees, with only a very, very, few having the credentials for the Snowflake vaults. My experience tells me this was a brute force hack. The usernames probably follow a pattern, once they had the usernames, it was only a few million guesses to get the passwords.
While brute force hacking is often used, obtaining a username and password can be as simple as info-stealing malware on a single targeted employee with Snowflake credentials.
Or, they found a way to create/forge “session cookies” that bypassed the username/password authentication step.
To have this quantity and level of data without MFA should be a criminal offence. Here in the UK, a company would be very heavily fined. No doubt a class action will result in a $100m reward for the class members minus attorney fees. Meaning $0.06 for each class member and $94m to the Law Offices of Finkelstein, Shyster & Associates P.C.
Don’t forget Dewey Cheatum and Howe.
No. It’s absolutely not a problem of MFA – its a problem of having sensitive data in a public available cloud. For no good reason. This should be a criminal offence.
Where the fuck is the opsec in these companies? Do they not perform regular single points of failure analysis to find something so stupid?
I’m also tired of learning of breaches months after they occur. National security, how so?
Opsec is overwhelmed, underfunded, and overridden. Company is going to do how a company do. When it blows up the company sacrifices the goat they have prepared aka the CISO. They are so sorry. Here’s the goats head. You are appeased, yes? No? Fine. No product (soup) for you!!
You want it to be taken seriously…you have to go for the jugular…the executives and board. No protection. Then it all gets serious. Until then…you are always exposed. By every company you use. Including medical. It’s just a matter of time.
This needs to be the mandatory lead paragraph on every masthead article that reports a data breach globally. I have been saying this for years, but until the public are really made aware of why such breaches continue to occur and who is REALLY responsible, nothing will change. Accountability at the absolute highest level is the only solution. Diagnostics 101; what is the root cause!
All of the major Telecom/Telco orgs are of strategic importance to the USA.
All the major Telecom/Telco orgs are of strategic importance to the USA.
This is not a problem of opsec. As long as the database is available in a public cloud, it will be stolen – no matter what opsec. opsec may delay the process for days, maybe for years. But the data will breached.
It’s a simple question of ‘Don’t put sensitive data in a public cloud’ or in any place, where it don’t belong.
This conduct by Corporate America makes me sick. I was a CPA for 40 years, the last 27 with my own practice. Had I ever been hacked, I would have been finished, out of business. This is the stuff that kept me awake some nights. Until corporate executives start going to prison for this kind of behavior, and other corporate bad behavior, it will continue to happen. They need to be held accountable.
Until the investors see some consequences they won’t hold their corporate board responsible for opsec. Companies are going to have to be broken up for scrap and sold off at a discount before this really changes. Plus criminal penalties for board members and executive officers.
My relative in Canada, a businessman, complains about the cellular service guardrails you have to deal with there, compared to the Wild West market south of the border in the third world. Not today. Our eyes are rolling. Freedom requires eternal vigilance, especially by and for the lazy, ignorant, or responsible.
> … apart from the class-action lawsuits that invariably ensue after these breaches, there is little holding companies accountable
Sadly, with class action waivers and binding individual arbitration baked into TOS and terms of employment, there isn’t even this meager measure of accountability. Until Congress or the courts throw out these ridiculous conditions, companies like ATT will continue with sloppy security as usual.
AT&T customer here. I did hear from them this morning, well the email arrived last-night but only saw it this morning. I am being asked to update my email preferences. They are saying I am in control of how and what AT&T communicates with me. There is a link to email preferences and a link to the privacy policy. Nice timing.
When will we know all the companies involved in the Snowflake incident? These companies could have chosen to use 2FA with their Snowflake accounts, and many of them enforce 2FA for their customers so it’s not like they don’t know.
Thank you again for all of your information and efforts on our behalf.
I hadn’t heard about the breach until this afternoon. I also got the letter about email preferences and considered it spam. Do not follow any of the links in there unless you trust them!
“ It remains unclear why so many major corporations persist in the belief that it is somehow acceptable to store so much sensitive customer data with so few security protections.”
It is not at all “unclear” – these corporations know that using proper security staff and procedures would take a tiny bite out of the profits they provide their investors. So, customer privacy and security be damned.
What? They are supposed to worry about slap-on-the-wrist fines from feckless regulators? Some toothless class action lawsuit they can settle from Pennie’s on the dollar?
They have no incentive to protect us. Minor penalties and massive destruction of customer privacy are just the cost of doing the business of looting the world.
Amazing that all of their customers are impacted yet they reported this as not a materialistic incident yet bother reporting it in the first place. This is as bad as it gets from a brand reputation impact, but won’t be material. Companies will continue to follow suit unless the company cannot operate whatsoever (ransomware).
I always thought that Snowflake was an unsuitable name for a company that stored data, as snowflakes are rather lacking in persistence, but now it seems much more appropriate.
The answer is to punish ATT board of directors and shareholders via unimaginably punitive fines. Since that will Never be done, because of the hypocrisy inherent in “corporations” and human ownership of such, the breaches will continue. The consequent mayhem of such breaches will be further advantaged by smart opportunists.
Yubico, anyone?
yubiCOPE
Have a better suggestion than just snark?
Im not in the business of scamming boomer CISO’ with market buzzwords so all I can say is you should have some few dozen bitcoin ready to pay unlocking/deletion fees at least once per year and consider that your cybersecurity budget.
ATT never gave one damn for it’s own customers since it originated.
No jail time for the AT&T officials who let this happen ensures that their policy of not giving a flying fu*k about customers will continue unabated.
The prism program is still in full effect apparently
Too big to fail corporations are not setup for PPI security, they exist to create profit and facilitate telecom for general public.
If the data was not hacked by a hacker, it could be accessible by gov upon request or it could have been accessed and saved via a rogue employee.
I get it, that companies this size should try to protect user data but lets be honest. C-suits are not security focused and focus on the bottom line.
This applies to any corp that exist around the world. YOYO with ppi protection, std intercourse protection, and what you put in your mouth to eat.. caveat emptor.. except it’s caveat everything… welcome to the brave new world.
There’s no app for that, use your brain. Learn to hone your instinct. Critical thinking is your friend.
Man, if I was in charge of millions of $ of data, totaling 1/3 people in the country, I too would secure it under an account with no 2fa.
2fa is too hard, only a few leet hackers have managed to use it.
This hack is sad. I was a victim of the Ticketmaster hack in April. I received two follow up emails from Ticketmaster advising me on what to do and how to protect myself. Same old Blah, Blah, Blah. Nobody seems capable of stopping these hacks. We are like wildebeest in a nature documentary. The lions chase us, catch one of us and while the lions eat our fallen mate, we stand and think “Well, they just got Charlie, I hope they don’t get me tomorrow.” Current cybersecurity protections and practices can’t stop the hackers. We all know that. Well there is a small start up in Lehi, Utah called ICN that has the technology to stop the hackers. Don’t believe me? Look them up and contact them. Don’t listen to me, talk to them directly and then decide. Inter Computer Network, ICN. Lehi, Utah.
You don’t need any advanced technology, and not even going to bother looking what whatever company you are trying to sell.
VERY basic cyber hygiene prevents almost all of these attacks. Simple things such as ACL’s, MFA, least-privileged accounts all stop these attacks instantly.
But the truth is that every single government and corporation just is bad at implementing basic controls.
Consider _never_ giving your _real_ name anywhere that isn’t legally required.
We can’t lie to the police or government, but for companies that don’t have that level of authority or need, why not just give a placeholder name, and alternate payment methods.
Now, it may not give ultimate security, like location history of cell phones will always be true, but it is a reasonable step.
Until the U.S. Congress begins to hold Corporations responsible for securing the data that they store, we can only expect these kinds of breaches to escalate.
It’s high time that the United States Congress to enact privacy laws that are equal to or exceed the standards that members of the European Union currently enforce. It appears that the only consequence that U.S. corporations face when severe data breaches occur is that they have to offer one year’s protection under some sort of identity protection plan. Corporations can justify this as simply the cost of doing business and they have little incentive to tighten their security,
Telecommunication companies should be held to even higher standards of data security, given how their databases hold sensitive information about our private lives that no other company has access to.
Maybe a better solution would be to create a national identity protection plan, paid for by fines imposed on companies that fail to protect their cyber systems. Although I recognize that this can create a honey pot of sensitive information that will become a target for hackers, it could be managed by government agencies that take cyber security much more seriously.
I’m so glad I stopped using ATT services after their former data breach, when they started using Yahoo for their email services. Only when customers start using the power of their wallets and change providers will these communication companies learn to safeguard their customer’s information. When people stop buying their products, like what happened to Bud light beer, companies will do better. ATT has a history of data breaches – they will not change their ways until their customers leave!
When companies like AT&T and Ticketmaster have to make substantial restitution (NOT USELESS CREDIT MONITORING) to those affected or face jail time, then more attention will be paid to keeping systems secure. Sadly, we’re on the cusp of seeing corporations being given free rein over consumers with little or no government oversight.