Data on nearly all of telecom giant AT&T's customers was downloaded to a third-party platform in a security breach, the company said, as cyberattacks against businesses, schools and healthcare systems continue to spread globally.
The data breach, which was announced by the company on Friday, largely occurred over five months in 2022. It affected AT&T wireless customers, customers of mobile virtual network operators that use AT&T’s wireless network, as well as its landline customers who interacted with those cellular numbers.
About 109 million customer accounts were affected, according to AT&T, which said it does not currently believe the data is publicly available.
“The data does not include the content of calls or text messages, personal information such as Social Security numbers, dates of birth or other personally identifiable information,” AT&T said Friday.
The compromised data also does not include certain information that typically appears in usage details, such as the time of calls or text messages, the company said, or customer names. However, AT&T said there are often ways to use publicly available online tools to find the name associated with a specific phone number.
Cybersecurity experts agreed, saying that such data can be used to track users.
“While the exposed information does not contain sensitive information directly, it can be used to reconstruct events and determine who may be calling whom. This could impact people’s private lives as private calls and connections could be exposed,” Thomas Richards, principal consultant at Synopsys Software Integrity Group, said in an emailed statement. “Business phone numbers will be easy to identify and private numbers can be matched to names using public records searches.”
An internal investigation determined that the compromised data includes AT&T call and text message records between May 1, 2022, and October 31, 2022.
AT&T identified the third-party platform as Snowflake and said the incident was limited to an AT&T workspace on that cloud company's platform and did not affect its network.
Growing risks
Cybersecurity experts say the sheer volume of data companies store on cloud platforms can create its own dangers.
“The AT&T data breach highlights the growing risks associated with the vast amounts of data that enterprises now store in the cloud and on SaaS platforms,” said Roei Sherman, field technology director at Mitiga, a threat detection and research firm that focuses on cloud technology. “As organizations become increasingly reliant on these technologies, the complexity of detecting and investigating breaches has increased dramatically.”
AT&T's investigation is ongoing and it has been working with cybersecurity experts to understand the nature and scope of the data breach. According to the company, at least one person has been arrested so far.
The compromised data also includes records from January 2, 2023, for a very small number of customers. The records identify the phone numbers that an AT&T mobile number or MVNO interacted with during these periods. For a subset of the records, one or more cell site identification numbers associated with the interactions are also included.
The FBI said it has worked collaboratively with AT&T and the Justice Department “through the first and second delay processes, all while sharing key threat information to bolster the FBI’s investigative efforts and assist AT&T’s incident response efforts.”
The Justice Department said Friday that it learned of the breach earlier this year but met the security standard for a late filing by AT&T with the U.S. Securities and Exchange Commission, a filing that was made public on Friday.
The Justice Department said early disclosure of the breach “would pose a substantial risk to national security and public safety.”
The Federal Communications Commission is also investigating the breach.
The year has already been marked by several major data breaches, including an earlier attack on AT&T in March: A dataset found on the “dark web” contained information such as Social Security numbers for approximately 7.6 million current AT&T account holders and 65.4 million former account holders.
Some car dealers are still using pen and paper to close deals after two consecutive cyberattacks last month against a company that supplies them with software. That company, CDK Global, is still trying to get back to normal operations.
Alabama's superintendent of education said earlier this month that some data was “breached” during a hacking attempt at the Alabama State Department of Education.
Cybersecurity experts warn that hospital systems across the country, which have already been attacked, are at risk of further attacks and that the U.S. government is doing too little to prevent breaches.