CNN
,
Call and text message records from millions of AT&T cellphone customers and many non-AT&T customers dating from mid-to-late 2022 were exposed in a massive data breach, the telecommunications company disclosed Friday.
AT&T said the compromised data includes telephone numbers of “virtually all” of its cellular customers and customers of wireless providers who used its network between May 1, 2022, and October 31, 2022.
The stolen logs also included records of every number called or texted by AT&T customers — including customers of other wireless networks — how often they talked, and the duration of the calls.
Importantly, AT&T said the stolen data did not include the content of calls and text messages or the timing of those communications.
AT&T said records for a “very small number” of customers from Jan. 2, 2023, were also included.
“We are investigating the AT&T breach and coordinating with our law enforcement partners,” FCC said on social media platform X,
company held guilty for An “illegal download” on a third-party cloud platform that the company became aware of in April – right around the time it was grappling with an illegal download. Unrelated major data leak.
AT&T says the exposed data is not publicly available, though CNN was unable to independently confirm this claim.
AT&T spokesman Alex Byers told CNN that this was a completely new incident that was “in no way related” to another incident that came to light in March. At the time, AT&T said personal information such as Social Security numbers of 73 million current and former customers had been released on the dark web.
“We deeply regret this incident and are committed to protecting the information we hold,” the company said in a statement about the latest breach.
AT&T listed about 110 million wireless customers as of the end of 2022. AT&T said international calls were not included in the stolen data, with the exception of calls to Canada.
The breach also involved AT&T landline customers who contacted those cell numbers.
AT&T said the incident did not expose the contents of calls or texts, personal information such as Social Security numbers, dates of birth or customer names, though the company acknowledged that publicly available tools can often link names to specific phone numbers.
Additionally, AT&T said that for an undisclosed subset of its records, one or more cell site identification numbers associated with calls and texts were also exposed. Such data could reveal the broad geographic location of one or more parties.
AT&T believes at least one individual involved in the cybercriminal incident is in custody, the company said in a filing with the Securities and Exchange Commission. The FBI declined to comment when asked about that statement.
AT&T promised it would notify current and former customers whose information was involved, and provide them with resources to protect their information.
Usage details such as the timing of calls and text messages were also not exposed. But AT&T spokesman Byers told CNN that the number of calls and text messages and the total call duration for specific days or months were exposed.
This means that while the data won’t reveal when one phone number called another, it will reveal how often two parties called each other — and how long they spoke for on specific days.
AT&T said it learned on April 19 that a “threat actor claimed it had illegally accessed and copied AT&T call logs.” The company said it “immediately” hired experts and a subsequent investigation determined the hackers had stolen the files between April 14 and April 25.
The company said the US Justice Department had determined in May and June that a delay in public disclosure was appropriate. The FBI said it was contacted by AT&T shortly after it learned of the hack, but the agency wanted to review the data for potential national security or public safety risks.
“In assessing the nature of the breach, all parties discussed potential delays in public reporting due to potential risks to national security and/or public safety,” the FBI said in a statement. “AT&T, the FBI and DOJ worked collaboratively during the first and second delay process, as well as sharing critical threat intelligence to strengthen FBI investigative equity and assist AT&T’s incident response work.”
This appears to be the first cyber incident in which the Justice Department has asked a company to delay filing a disclosure with the SEC because of potential national security or public safety concerns.
“This is very worrying. This information is very valuable to cybercriminals and nation-states,” Sanaz Yashar, co-founder and CEO of cybersecurity firm Zafran, told CNN.
Yashar, who was previously an Israeli cyber spy, said threat actors can correlate cell ID data with other available information to figure out where someone works — including sensitive locations such as the White House and the Pentagon.
“You don’t need a timestamp. If someone goes there every day, you can understand that they work there and what their routine is. It’s very confidential information and that’s how spies work.”
Justin Sherman, founder of consultancy firm Global Cyber Strategies, also described the potential threat in clear terms.
“Metadata about who is communicating with whom enables us to map, on a large scale, the relationships between people — think journalists and sources, intelligence officials and their contacts, married people and those with whom they are having a romantic relationship,” Sherman told CNN.
Cell site data “is quite important because it can allow the bad guys to figure out the geographic location of certain consumers, which can be used to make social engineering attacks more reliable,” said Jason Hogue, a former FBI special agent who is now an executive at Great Hill Partners.
AT&T shares fell 1% on Friday following the news.
In the new case, AT&T told CNN it learned in April that customer data had been illegally downloaded from its workspace on third-party cloud platform Snowflake.
AT&T recently became the first major company to have its data stolen through access to its Snowflake platform. Ticketmaster and Santander Bank have also recently disclosed massive data breaches involving Snowflake. Google-owned cybersecurity firm Mandiant has notified at least 165 organizations that they may have been affected by the hacking spree. Mandiant analysts Said They have “moderate confidence” that the hackers are based in North America and that they collaborate with an additional individual in Turkey.
Snowflake’s Chief Information Security Officer Brad Jones told CNN in a separate statement that the company found no evidence that the activity was “due to a vulnerability, misconfiguration or breach of Snowflake’s platform.” Jones said an investigation by third-party cybersecurity experts Mandiant and CrowdStrike confirmed this.
AT&T said it has launched an investigation, hired cybersecurity experts and taken steps to shut down the “illegal access point.”
This story has been updated with additional context and developments.
Disclaimer : The content in this article is for educational and informational purposes only.
