AT&T data breach exposes call records of 'nearly all' wireless customers

Stolen data isn't publicly available yet, the company claims

US telecom giant AT&T disclosed on Friday a data breach that exposed phone records of "nearly all" of its customers.

The breach, affecting an estimated 110 million people, comes just months after another AT&T security incident involving personal information, and was disclosed in a filing with regulators last week.

"We learned that AT&T customer data was illegally downloaded from our workspace on a third-party cloud platform," the company said.

"We have confirmed the access point has been secured."

According to AT&T, the stolen data spans a six-month period between May 2022 and October 2022, with a limited number of records from January 2023 also impacted. It includes phone numbers, call and text message logs, and even some location information linked to cell phone usage.

While the content of calls and texts wasn't compromised, hackers gained access to details about who contacted whom, the frequency and duration of calls, and cell site data for approximate location tracking.

The breach affected not only AT&T cellular customers but also landline users and customers of other carriers who rely on AT&T's network infrastructure.

The company said it became aware of the incident on 19 April and is working with law enforcement to apprehend the culprits.

AT&T claims the stolen data isn't publicly available yet. However, it acknowledged the possibility of linking phone numbers to identities using publicly available online resources.

AT&T is notifying current and former customers whose information was involved. It is also urging users to be cautious of phishing attempts through text messages (smishing) and online scams. Customers can request information about whether their data was accessed in the breach.

AT&T has also set up a dedicated website for affected customers to learn more about the breach and what steps they can take to protect themselves.

At least one arrest has been made, the company told TechCrunch, without disclosing details.

The FBI acknowledged collaborating with AT&T and the Department of Justice (DOJ) to delay public notification of the breach on two separate occasions due to "potential risks to national security and/or public safety."

The breach reportedly involved AT&T's use of cloud storage provider Snowflake, which disclosed in May that a major cyberattack compromised customer data at several of its clients. Ticketmaster, Santander, and LendingTree are among confirmed victims of that cyberattack.

Mandiant's investigation revealed the attackers, a financially motivated group named UNC5537, exploited stolen login credentials to access Snowflake accounts. These credentials, compromised through malware in some cases as far back as 2020, remained valid despite their age.

The lack of enforced MFA by Snowflake customers proved critical. UNC5537 reportedly leveraged these weak logins to enter customer environments and steal "a significant volume of customer data."

Snowflake recently announced the option for administrators to enforce mandatory multi-factor authentication (MFA) for all users.

Commenting on AT&T data breach, Christiaan Beek, Senior Director Threat Analytics at Rapid7, said: "The breach against AT&T is huge and will certainly worry any customer whose data has been leaked. An organisation is only as secure as its weakest third-party network, and security protocols are only effective if all of their third-party providers are equally secure."

"Cybercriminals are aware of this and will attempt to breach the weakest link in the chain to gain access to systems and steal highly sensitive data. The sheer amount of personal information stored means it's even more important that supply chains are secured."