Metadata from “practically all” name logs and texts made by AT&T prospects over a six-month interval in 2022 was stolen by hackers who breached the telecom’s knowledge storage platform in April.
AT&T filed paperwork with the Securities and Change Fee (SEC) on Friday that mentioned the corporate discovered of the incident on April 19. It confirmed to Recorded Future Information that the breach occurred via the third-party cloud platform Snowflake — a knowledge storage large that has been beset by hackers who’ve focused a few of the firm’s most distinguished shoppers and leaked paperwork on lots of of hundreds of thousands of individuals.
An investigation revealed the hacker exfiltrated recordsdata from AT&T’s account on Snowflake between April 14 and April 25.
“The incident was restricted to an AT&T workspace on Snowflake’s cloud platform and didn’t influence AT&T’s community,” an organization spokesperson mentioned.
When requested why the hacker was in a position to entry the Snowflake account for practically every week after AT&T found the difficulty, the spokesperson mentioned it “took time to analyze the declare of a breach, decide its supply, isolate the impacted knowledge, and shut off the unlawful entry level.”
The spokesperson mentioned the hackers stole “aggregated metadata” about calls or texts and never the content material of the conversations. AT&T has probably the most wi-fi subscribers within the U.S., far outpacing its rivals Verizon and T-Cellular.
A 2022 annual report confirmed that about 109 million individuals had accounts affected by the incident.
The telecom large believes the hacker exfiltrated “recordsdata containing AT&T data of buyer name and textual content interactions” from roughly the beginning of Might 2022 till the top of October, in addition to on January 2, 2023.
The breach concerned “data of calls and texts of practically all of AT&T’s wi-fi prospects and prospects of cellular digital community operators (MVNO) utilizing AT&T’s wi-fi community.”
“These data establish the phone numbers with which an AT&T or MVNO wi-fi quantity interacted throughout these intervals, together with phone numbers of AT&T wireline prospects and prospects of different carriers, counts of these interactions, and combination name period for a day or month,” the corporate mentioned within the SEC submitting.
“For a subset of data, a number of cell web site identification quantity(s) are additionally included. Whereas the information doesn’t embrace buyer names, there are sometimes methods, utilizing publicly accessible on-line instruments, to search out the identify related to a selected phone quantity.”
AT&T pledged to inform present and former prospects and mentioned it has closed off the purpose “of illegal entry.” No less than one individual concerned within the theft has been arrested, the corporate mentioned within the submitting.
The FBI advised Recorded Future Information that AT&T contacted them after figuring out the breach. The corporate was granted an exemption to public reporting necessities by the Division of Justice due “potential dangers to nationwide safety and/or public security,” the FBI mentioned.
An FBI spokesperson mentioned the company labored with AT&T and the Justice Division on two separate disclosure delays with a view to assist the telecom with its incident response.
AT&T is among the first corporations to publicly acknowledge acquiring an exemption from the Justice Division that enables them to delay submitting paperwork with the SEC. The measure to permit for delays was a key a part of controversial new SEC guidelines mandating the disclosure of cyber incidents.
AT&T confirmed that it efficiently obtained delays from the DOJ on Might 9 and June 5 and that it used the additional time to work with regulation enforcement businesses “in its efforts to arrest these concerned within the incident.”
A spokesperson for the Cybersecurity and Infrastructure Safety Company (CISA) mentioned they’re additionally working with AT&T to evaluate the influence. The spokesperson additionally urged organizations to implement multifactor authentication — one thing consultants have pointed to as a priority contemplating the hackers used solely stolen login info to entry Snowflake accounts.
The April incident is the newest in a string of assaults on AT&T involving buyer knowledge. Earlier this yr, it confirmed {that a} knowledge set with the knowledge of 73 million present and former prospects is official practically two weeks after a hacker provided it on a darkish internet prison market.
In 2023, one other 9 million prospects had been impacted by a safety subject and the corporate needed to resolve a vulnerability that might have allowed anybody to take over somebody’s account on ATT.com simply by figuring out their cellphone quantity and ZIP code.
In its SEC submitting, the corporate mentioned it doesn’t imagine the newest incident could have any influence on its monetary situation.
No less than 165 Snowflake prospects have allegedly been attacked by hackers who stole login info to worker accounts on the platform. These affected embrace Ticketmaster, Advance Auto Elements, one of many largest faculty districts within the U.S., Neiman Marcus, Santander, LendingTree and extra.
Recorded Future
Intelligence Cloud.
Be taught extra.
