In a significant cybersecurity breach, AT&T disclosed on Friday that tens of millions of its cellphone customers' call and text message records were exposed in a data hack that occurred in mid-to-late 2022. The breach also impacted many non-AT&T customers whose information was accessible through interactions with AT&T users. This revelation underscores the persistent vulnerabilities facing major telecom companies.
AT&T confirmed that the breach did not involve the content of calls and text messages but did include critical metadata such as phone numbers, call durations, and the numbers dialed. The data breach was attributed to an "illegal download" from a third-party cloud platform, specifically Snowflake, a well-known data storage and processing service. The breach, which came to light in April 2023, involved data spanning from May 1, 2022, to October 31, 2022, and an additional day on January 2, 2023.
"AT&T does not believe that the data is publicly available," the company stated, attempting to reassure customers about the scope of the breach. However, the sheer volume of data exposed-potentially involving nearly all of AT&T's 110 million wireless subscribers-highlights the significant challenge of protecting customer information in the digital age.
The exposed data included the phone numbers of both AT&T customers and individuals they communicated with, regardless of their wireless provider. Additionally, the breach encompassed AT&T landline customers who interacted with these cell numbers. While customer names were not directly exposed, AT&T acknowledged that publicly available tools could potentially link names to specific phone numbers, increasing the risk of privacy violations.
AT&T spokesperson Alex Byers emphasized that this incident is unrelated to a previous breach disclosed in March, where personal information such as Social Security numbers of 73 million current and former customers was released onto the dark web. In the latest breach, AT&T discovered on April 19 that a "threat actor claimed to have unlawfully accessed and copied AT&T call logs." An immediate investigation ensued, involving third-party cybersecurity experts from Mandiant and CrowdStrike, which confirmed the breach did not result from vulnerabilities in Snowflake's platform.
Brad Jones, Chief Information Security Officer at Snowflake, corroborated this finding, stating that no evidence suggested the breach was due to a vulnerability or misconfiguration of Snowflake's systems. Nevertheless, AT&T took swift action to close the illegal access point and bolster its cybersecurity defenses.
The U.S. Department of Justice intervened, requesting a delay in public disclosure of the breach while investigations continued. AT&T complied, announcing the breach only after receiving the green light from the Justice Department in May and June. As part of the ongoing investigation, AT&T is cooperating with law enforcement, which has already resulted in the apprehension of at least one suspect involved in the breach.
Despite the breach's extensive reach, AT&T maintained that international calls, except those to Canada, were not included in the stolen data. The company has promised to notify affected customers and provide resources to help them protect their information. AT&T assured that the compromised data did not contain personal identifiers such as Social Security numbers or dates of birth, nor did it include call or text content.
"AT&T sincerely regrets this incident occurred and remains committed to protecting the information in our care," the company said in a statement. The telecom giant's shares fell 2% in premarket trading following the announcement, reflecting investor concerns over the company's cybersecurity measures and the potential impact on its reputation.
