AT&T Details Massive Breach of Subscribers’ Call Logs – Source: www.databreachtoday.com

Breach Notification
,
Cybercrime
,
Fraud Management & Cybercrime

Ongoing Law Enforcement Investigation Led to Delay in Public Breach Notification

Mathew J. Schwartz (euroinfosec) •
July 12, 2024    

Attackers have stolen logs of call and text interactions pertaining to nearly every one of AT&T’s millions of wireless customers, the telecommunications giant warned Friday.

See Also: Value Drivers for an ASM Program

The Dallas-based company said in a data breach notification that the stolen data largely pertains to calls made over six-month period in 2022. It said the data was “downloaded from our workspace on a third-party cloud platform” and has now “been secured.”

AT&T is America’s largest provider of fixed telephone services in the country, and one of the top three wireless telephony providers, based on subscribers. The company told TechCrunch the data was stolen from its account with data warehousing provider Snowflake, and that it plans to notify about 110 million individuals that their personal information was exposed.

The telco said the stolen data pertains to the period from May 1, 2022, to October 31, 2022, and includes records for both wireless service users as well as users of any wireline – aka landline – telephones who communicated with them.

“Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (‘MVNO’) using AT&T’s wireless network,” the company told investors via an 8-K filing Friday to the U.S. Securities and Exchange Commission.

“The call and text records identify the phone numbers with which an AT&T number interacted during this period, including AT&T landline (home phone) customers,” and also include a per-day and per-month count of such calls as well as total talk time, it said. Some records also included cell site ID numbers, which could be used to identify the approximate geographic location of a cellular user.

AT&T said it believes the information was exfiltrated between April 14 and April 25 of this year from its Snowflake account.

Stolen data didn’t include information such as a subscriber’s name, date of birth or Social Security number, or time stamps for individuals calls, the company said. “While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” it said.

The company is warning subscribers to beware suspicious texts or other attempts to scam them via their wireless number. Fraudsters could use the stolen data to facilitate phishing attacks, as well as for SMS phishing, aka smishing.

The company said it first learned of the breach on April 19, at which point it “immediately activated its incident response process to investigate and retained external cybersecurity experts to assist.”

AT&T now joins the list of Snowflake customers who fell victim to the recent credential stuffing campaign. In a joint investigation conducted with Mandiant and CrowdStrike, Snowflake reported that attackers stole data from about 165 customers. This week, Automotive parts supplier Advance Auto Parts reported it’s notifying 2.3 million individuals that their personal information, in some cases including Social Security numbers, was exposed via the breach of its Snowflake account. Other publicly named Snowflake customers who lost data include Santander Bank, luxury retailer Neiman Marcus, the Los Angeles Unified School District and Live Nation Entertainment’s Ticketmaster (see: Victims of Snowflake Data Breach Receive Ransom Demands).

The SEC requires publicly traded firms to report all “material” cybersecurity incidents to investors via a Form 8-K, within four days of determining it’s material, except under certain circumstances.

AT&T said it’s been assisting a law enforcement investigation into the breach, and that on May 9 and again on June 5, the U.S. Department of Justice determined that “a delay in providing public disclosure was warranted” as it continued to probe the breach. “AT&T is now timely filing this report,” it said in its Friday 8-K filing.

“Based on information available to us, we understand that at least one person has been apprehended,” the company said.

AT&T said its notifications to victims will be forthcoming. “If your account was affected by the event, we’ll contact you by text, email or U.S. mail,” it said.

The company said the breach is unrelated to an old tranche of data allegedly pertaining to 70 million AT&T customers, which got released in March for free on a hacking forum, three years after the prolific data-leak gang ShinyHunters first advertised it for sale on the cybercrime underground.

“We have no indications of a compromise of our systems,” an AT&T spokesman told Information Security Media Group in a statement in March (see: After 70M Individuals’ Data Leaks, AT&T Denies Being Source).

“We determined in 2021 that the information offered on this online forum did not appear to have come from our systems,” he said. “This appears to be the same dataset that has been recycled several times on this forum.”