AT&T Corp. disclosed today that a new data breach exposed the phone and text message records of nearly 110 million people — nearly all of its customers. AT&T said it delayed disclosing the incident due to “national security and public safety concerns,” noting that some records include data that could be used to determine where a call was made or a text message sent. AT&T also admitted that customer records are exposed in a cloud database protected only by username and password (no multi-factor authentication required).
In the control file with US Securities and Exchange Commission today, AT&T said cyber attackers accessed AT&T’s third-party cloud platform in April, downloading files containing customer phone calls and text interactions between May 1 and October 31, 2022, and January 2, 2023.
The company said the stolen data included call records and texts from cellular providers that resell AT&T service, but did not include the content of calls or texts, Social Security numbers, dates of birth, or any other personally identifiable information.
However, the company said the stolen records included information about the location of cell phone towers near a subscriber, data that could be used to determine the approximate location of a customer’s device that initiates or receives those messages or calls.
“Although the data does not include customer names, there are often ways, using publicly available online tools, to find a name associated with a particular phone number,” AT&T allowed.
AT&T said it discovered the breach on April 19, but delayed disclosing it at the request of federal investigators. The company’s SEC disclosures indicate that at least one person has been arrested by authorities in connection with these violations.
In a written statement shared with KrebsOnSecurity, the FBI confirmed that it had asked AT&T to delay notifying affected customers.
“Shortly after identifying a potential breach of customer data and prior to making a material decision, AT&T contacted the FBI to report the incident,” the FBI statement read. “In assessing the nature of the breach, all parties have discussed possible delays in public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety. AT&T, the FBI, and the DOJ worked cooperatively through the first and second delay processes, all while sharing critical threat intelligence to strengthen the integrity of the FBI’s investigation and to assist AT&T’s incident response mission.”
Techcrunch quoted an AT&T spokesperson as saying customer data was stolen in a possible data breach involving more than 160 customers of the cloud data provider. Snowflake.
Earlier this year, malicious hackers discovered that many large companies had uploaded large amounts of valuable and sensitive customer data to Snowflake servers, all the while protecting those Snowflake accounts with little more than a username and password.
Wired reported last month how Snowflake’s data-theft hackers bought stolen Snowflake credentials from dark web services that sell access to usernames, passwords and authentication tokens captured by information-stealing malware. On the other hand, Snowflake says it now requires all new customers to use multi-factor authentication.
Other companies that had millions of customer records stolen from Snowflake’s servers include Auto Advance Parts, Allstate, Anheuser-Busch, Los Angeles Unified, Mitsubishi, Neiman Marcus, What’s going on, Clean Storage, Santander Bank, State Farmagain Ticket manager.
Earlier this year, AT&T reset the passwords of millions of customers after the company finally acknowledged a data breach from 2018 that involved about 7.6 million current AT&T account holders and about 65.4 million former account holders.
Mark Burnett is an application security architect, consultant and author. Burnett said the only real use for the data stolen in AT&T’s latest breach is knowing who is contacting whom and how often.
“The thing that concerns me most about this AT&T breach of ALL customer call records and text records is that this is not one of their main databases; it’s metadata about who’s interacting with whom,” Burnett wrote in Mastodon. “Which makes me wonder what would be worth the timber without time stamps or names.”
It is not clear why many large companies persist in the belief that it is somehow acceptable to store such sensitive customer data with few security safeguards. For example, Advance Auto Parts said the exposed data included full names, Social Security numbers, driver’s licenses and government-issued identification numbers for 2.3 million former employees or job applicants.
That’s likely because, aside from the class-action lawsuits that often arise after these breaches, there are smaller companies held accountable for sloppy security practices. AT&T told the SEC that it did not believe the incident would have a material impact on AT&T’s financial condition or results of operations. AT&T reported more than $30 billion in revenue in its most recent quarter.
Source link