AT&T Under Fire After Disclosing Massive Data Breach

by Amy Larsen DeCarlo, posted in Secure
Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• AT&T divulged that the call and text records of 109 million cellular customers had been unlawfully downloaded from a third-party cloud provider’s environment.

• Wired magazine reports AT&T paid $370,000 to hackers to delete the records, which included cell site data. While the hacker provided a video of the deletion, there is no way to prove the threat actors don’t have a copy of the records.

AT&T is feeling the heat after admitting that the call and text records of 109 million wireless customers had been illegally downloaded from third-party provider Snowflake’s cloud. The records, which include the incoming and outgoing phone numbers and cell site locations that these communications were relayed through, covered a more than six-month time span in 2022 and a single day in January 2023.

In a Securities and Exchange Commission (SEC) filing this month, AT&T disclosed an internal investigation discovered the theft in April 2024. At the Department of Justice’s request, AT&T delayed a public disclosure so the agency could investigate. At least one person, a US citizen, was arrested in Turkey. The Federal Communications Commission is also probing the breach.

Wired magazine reports that AT&T paid a hacking group $370,000 in cryptocurrency to delete the records. While the bad actors provided a video showing the data deletion, there is no way to prove that the cyber criminals don’t have other copies of the records.

The theft involves call and text records of almost all of AT&T cellular clients as well as customers of mobile virtual network operators (MVNOs) including Cricket and Boost. While the data doesn’t include personally identifying information such as names or social security numbers, the scale and the inclusion of communicating phone numbers and location data present a damning picture of the severity of this breach.

Security and intelligence experts are sounding the alarm on how valuable this information would be to many bad actors and espionage agencies. The identities of individual customers can be linked to the phone numbers contained in the metadata, which can be found in public records. Adding cell sites provides the kind of information sought to map communications and locations for individuals by intelligence agencies and other entities.

This metadata can be used for several different applications, including discerning the connection between phone numbers through network mapping, geofencing analysis for targeted advertising, behavioral pattern recognition to establish travel patterns, fraud, and cold-case resolution. Intelligence agencies around the world have tapped into these types of records for surveillance purposes.

This is not AT&T’s first major security incident this year. In March 2024, AT&T disclosed that the passwords of 7.6 million customers were stolen. That theft occurred in 2019. AT&T never clarified why it took so long to notify its customers of that breach.

Big questions loom about the lack of security protections for such high-value and high-volume data. Why did it take so long for AT&T to identify that breach? What actions is the company taking to ensure that customer data is protected in the future?

Leave a Reply