Telecommunications giant AT&T has announced a significant data breach affecting millions of its customers.
The breach, which has compromised the phone records of nearly all AT&T customers, was confirmed by a company spokesperson on Friday, July 12.
AT&T disclosed that the stolen data includes phone numbers of both cellular and landline customers, as well as records of calls and text messages. This data spans six months from May 1, 2022, to October 31, 2022.
Additionally, a smaller, unspecified number of customers have had more recent records from January 2, 2023, compromised.
The breach also impacts customers of other cell carriers that use AT&T’s network, with their call records included in the stolen data.
However, AT&T assured that the breach does not involve the content of calls or texts.
Instead, the stolen information includes metadata such as calling and texting records, the number of calls and texts, and call durations. Importantly, the data does not include the time or date of calls or texts.
Some of the compromised records also contain cell site identification numbers linked to phone calls and text messages. This information can be used to approximate the location from which a call was made or a text message sent.
Scale and Notification
AT&T is preparing to notify approximately 110 million customers affected by the breach.
Company spokesperson Andrea Huguely confirmed that the company has created a website to provide information to customers regarding the incident.
Furthermore, AT&T disclosed the data breach in a regulatory filing before the market opened on Friday.
The breach was discovered on April 19 and is unrelated to a previous security incident in March 2024.
The recent compromise of customer records was traced back to Snowflake, a cloud data giant, during a wave of data thefts targeting Snowflake’s customers.
Snowflake offers services that allow corporate customers, including tech companies and telecoms, to analyze large volumes of customer data in the cloud.
It remains unclear why AT&T was storing customer data with Snowflake, and the company spokesperson declined to provide further details.
AT&T joins a growing list of companies, including Ticketmaster and LendingTree subsidiary QuoteWizard, that have confirmed data theft from Snowflake accounts.
Snowflake has attributed these breaches to its customers’ failure to use multi-factor authentication (MFA) to secure their accounts, a security measure that Snowflake did not enforce or mandate.
Response and Investigation
Cybersecurity firm Mandiant, which was brought in by Snowflake to assist with customer notifications, reported that about 165 Snowflake customers had a “significant volume of data” stolen.
Mandiant attributed the breaches to a cybercriminal group identified as UNC5537. According to Mandiant, the group is financially motivated with members based in North America and Turkey.
While some victims of the Snowflake breaches have had their data published on cybercrime forums, AT&T stated that it does not believe its stolen data is publicly available at this time.
AT&T is cooperating with law enforcement to apprehend the cybercriminals responsible for the breach. In their statement, the company mentioned that “at least one person has been apprehended.”
The arrested individual is not an AT&T employee, but the company deferred further inquiries to the FBI. The FBI has not yet commented on the case.
Recent Security Incidents
This breach marks the second significant security incident AT&T has faced this year.
Earlier, the company had to reset account passcodes for millions of customers after a cache of customer account information, including encrypted passcodes, was leaked on a cybercrime forum.
A security researcher indicated that the encrypted passcodes could be easily decrypted, prompting AT&T to take precautionary measures to protect customer accounts.
READ ALSO: NDC Sympathizer Questions NPP Supporters’ Motives
