Pierluigi Paganini July 12, 2024

AT&T disclosed a new data breach that exposed phone call and text message records for approximately 110 million people.

AT&T suffered a massive data breach, attackers stole the call logs for approximately 110 million customers, which are almost all of the company’s mobile customers.

The stolen data was stolen on a database hosted by the company’s Snowflake, reported Techcrunch quoting an AT&T spokesperson.

On April 19, 2024, the company learned that a threat actor claimed to have stolen the call logs and immediately activated its incident response procedure with the help of external cybersecurity experts.

The company immediately notified law enforcement, the US Department of Justice allowed AT&T to delay the public disclosures of the incident on May 9, 2024 and June 5, 2024.

The telco giant pointed out that stolen data does not contain call or text content, Social Security numbers, birth dates, or other personal information.

“Based on its investigation, AT&T believes that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023, as described below.” reads the Form 8-K filling with the SEC.

“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network. These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”

The company warned that metadata included in some of the compromised logs could allow threat actors to correlate them with third-party information, potentially identifying customers’ users.

The company announced it has implemented additional cybersecurity measures in response to the security breach, such as closing off the point of unlawful access.

Other organizations were impacted by the Snowflaw data breach, a joint investigation by SnowFlake, Mandiant, and CrowdStrike attributes the supply attack to the financially motivated threat actor UNC5537.

According to Mandiant, the attackers used stolen customer credentials to target at least 165 organizations, including TicketMaster, Neiman Marcus, and Ticketek.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Snowflake)