Security news that informs and inspires

AT&T: Threat Actors Compromised ‘Nearly All’ Customer Phone, Text Records

By

Telecommunications giant AT&T has disclosed a security incident that compromised the records of calls and texts of “nearly all” of its wireless customers over certain periods of time.

The company first learned of the incident on April 19, when an unnamed threat actor claimed to have accessed and copied call logs. Upon further investigation, AT&T found threat actors had accessed an AT&T workspace on a third-party cloud platform. Between April 14 and April 25, the attackers were able to exfiltrate files containing AT&T records call and text interactions that were made between May 1 and Oct. 31, 2022, and on Jan. 2, 2023. A subset of stolen records included one or more cell site identification numbers, the unique location-related identifiers that are assigned to individual cell towers on wireless communication networks.

The data did not contain the content of calls or texts, according to AT&T. It also did not include personal information like social security numbers or dates of birth. However, AT&T said that while the data does not include customer names, there are publicly available online tools that can help associate names with specific telephone numbers.

“Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network,” according to AT&T both in an SEC Form 8-K filing and on its website. “These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month.”

AT&T said that it has taken steps in response to the incident to secure the impacted workspace, and it plans to provide data breaches notices for current and former impacted customers. At the same time, as of the date of the filing the company said it does not believe the data is publicly available, and it believes that at least one person has been apprehended in the attack.

An AT&T spokesperson said that the activity involves Snowflake, whose customers have recently been hit by attackers that leveraged compromised credentials for accounts that did not have MFA enabled. When asked about the AT&T incident, a Snowflake spokesperson pointed to a previously published statement by Snowflake CISO Brad Jones: "We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform."

The AT&T spokesperson did not comment on the initial cause of the security incident outside of linking it to Snowflake, saying "It is AT&T’s policy not to discuss specific details about the security of our systems."

Earlier this year in March, the company had responded to a separate data set being released on the dark web, which appeared to contain data from 2019 or earlier and impacted 7.6 million current AT&T account holders and 65.4 million former account holders. That data compromised in that incident included personal information like full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, AT&T account numbers and passcodes.

The Form 8-K filing was under the SEC’s mandate from last year that publicly traded companies must report cyber incidents within four business days of determining that the incident is “material.” However, AT&T said that its filing fell under an exception to the SEC rule that allowed a 30-day wiggle room extension for companies if the disclosure of the cyber incident would impact national security or public safety.

“On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted,” according to AT&T’s filing. “AT&T is now timely filing this report. AT&T is working with law enforcement in its efforts to arrest those involved in the incident.”

AT&T said that as of the date of the filing, the incident has not had a material impact on its operations, and it "does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations." The Cybersecurity and Infrastructure Security Agency (CISA) on Friday released an advisory about the incident, and the Federal Communications Commission (FCC) said that it has launched an ongoing investigation into the breach.

This article was updated on July 12 at 10 am with a statement from Snowflake and CISA, and then on July 15 with a statement from AT&T.