AT&T: ‘Threat actors’ illegally downloaded data from ‘nearly all’ mobile customers

https://eu-images.contentstack.com/v3/assets/blt23eb5bbc4124baa6/blt95eb7cbf5b14395c/650cd4bffea9d0850183b186/padlock_being_opened_against_a_digital_background_cybersecurity.jpg?disable=upscale&width=1200&height=630&fit=crop

AT&T said it is working with law enforcement after discovering that “threat actors” illegally downloaded data in April, including records of calls and texts of “nearly all” AT&T’s cellular customers. Data from mobile virtual network operator (MVNO) customers that use AT&T’s network was also accessed, the company said.

The illegal downloads further spread to AT&T landline customers who interacted with affected mobile subs between May 1, 2022, and October 31, 2022. The compromised data included data and records from January 2, 2023, as well, for a “very small number of customers,” the company said.

All in, the illegal downloads impacted data from roughly 109 million customer accounts, according to Reuters.

Update: That 109 million figure, Light Reading confirmed, refers to the difference of total mobility subscribers AT&T reported in its 2022 annual report (217.37 million) and IoT “connected devices” (107.47 million) it had at that time.

AT&T didn’t define the incident as a cybersecurity breach but noted that the customer data was illegally obtained from “our workspace on a third-party cloud platform.” The data theft occurred between April 14 and April 25, 2024, AT&T said in an SEC filing. But, as of this date, AT&T believes that the incident has not had a material impact on the company’s operations and that it will not have a material impact on AT&T’s financial condition or financial results.

“We have taken steps to close off the illegal access point,” AT&T said, adding that it’s working with authorities to track down and arrest anyone involved in the incident.

Update: An AT&T official confirmed that the incident involved Snowflake, a data cloud partner, and that it was limited to an AT&T workspace running on Snowflake’s platform.

Though the data theft involved a third party, the official stressed that “AT&T takes protecting customers’ data very seriously” and that it holds itself to “high standards” on the issue, when asked for clarification on the company’s role and responsibility when handling customer data.

“We are constantly evaluating and enhancing our security protections to address the evolving cybersecurity threat landscape and create a secure environment for our customers. We invest in our network’s security using a broad array of resources including people, capital, and innovative technology advancements,” the official added.

It was not immediately clear whether this was an inside job. AT&T said it understood that at least one person tied to the alleged data incident had been apprehended, but the company did not elaborate.

No PII data

AT&T stressed that the purloined data does not contain the content of individual calls or texts, including personal information such as Social Security numbers, dates of birth and other “personally identifiable information.” However, some of the data does contain customer names that can be linked to specific telephone numbers through publicly available online tools, the company added.

“At this time, we do not believe that the data is publicly available,” AT&T said.

While the cybersecurity incident occurred about three months ago, AT&T noted in its SEC filing that the US Department of Justice determined that a delay in disclosing the incident to the public was warranted.

AT&T, which recently spun-off its cybersecurity consulting business, said in this FAQ about the incident that it will contact customers, including prior customers and agencies of FirstNet (the company’s network for first responders), via text, email or US email if their accounts were affected by the data theft.

This latest incident follows an earlier one at AT&T that involved the theft of personal information of about 73 million current and former customers. Tied to that, AT&T is facing a class action lawsuit involving a data breach in March that was consolidated into one case last month with the Northern District of Texas. In addition to Texas, that case is combining 18 overlapping putative class actions in seven other districts in California, Georgia, Illinois, Missouri and Texas.

Hack attacks on the rise

Word of AT&T’s latest data theft incident arrives in the wake of cybersecurity incidents that have been sweeping the telecom landscape.

In June, an extortion group called RansomHub claimed responsibility for an April attack on Frontier Communications that sought to auction up to 5 gigabytes of data tied to about 2 million customers. Others that have been forced to respond to cybersecurity incidents and data breaches in recent months include Comcast, Dish NetworkVerizon and T-Mobile.

A recent Verizon report illustrated the increasing size and scope of cybersecurity incidents. This 17th annual Data Breach Investigations Report found that the exploitation of vulnerabilities for hackers to break in has nearly tripled.

“It’s no longer survival of the fittest; it’s survival of the fastest,” Chris Novak, senior director of Cybersecurity Consulting for Verizon, told Light Reading. “If you look at the amount of time it typically takes an organization to remediate critical vulnerabilities with patches after they’re available, it typically takes about 55 days to remediate about 50% of the critical vulnerabilities.”

In a statement sent today about AT&T’s data incident, Sean Deuby, principal technologist with cybersecurity specialist Semperis, said such breaches are an almost certainty, and that “preparing in peacetime is the key.”

The rising level of attacks means “organizations need to have an assumed breach mindset because threat actors will eventually breach most of their targets if they’re persistent enough,” Deuby noted. “It’s not just a risk; it’s a probability. Having a backup and recovery plan in place is an essential part of improving operational resiliency.”

<<<- Go Back