The call and text message records of tens of millions of AT&T cellphone customers and many non-AT&T customers in mid-to-late 2022 were exposed in a massive data breach, the telecom company revealed Friday.
AT&T said the hacked data did not include the content of calls and text messages. At this point, the exposed data is not believed to be publicly available.
The company blamed an “illegal download” on a third-party cloud platform that it learned about in April – just as the company was grappling with an unrelated major data leak.
AT&T said the compromised data includes the telephone numbers of “nearly all” of its cellular customers and the customers of wireless providers that use its network between May 1, 2022 and October 31, 2022. The stolen logs also contain a record of every number AT&T customers called or texted – including customers of other wireless networks – the number of times they interacted and the call duration.
The records of a “very small number” of customers on January 2, 2023 were also implicated, AT&T said. The content of the calls and texts were not exposed, according to the company.
AT&T listed approximately 110 million wireless subscribers as of the end of 2022. AT&T said international calls were not included in the stolen data, with the exception of calls to Canada.
The breach also included AT&T landline customers who interacted with those cell numbers.
AT&T said customer names were not exposed in this incident, however the company acknowledged that publicly available tools can often link names with specific phone numbers.
Additionally, AT&T said that for an undisclosed subset of its records, one or more cell site identification numbers linked to the calls and texts were also exposed. Such data could reveal the broad geographic location of one or more of the parties.
“At this time, we do not believe that the data is publicly available,” AT&T said in a statement. “We sincerely regret this incident occurred and remain committed to protecting the information in our care.”
AT&T promised to notify current and former customers whose information was involved and provide them resources to protect their information.
Although the breach exposed phone and text records, AT&T said it does not contain the contents of the calls or texts, nor does it contain personal information such as Social Security numbers, dates of birth or other personally identifiable information.
Usage details such as the time of calls and text messages were not compromised either.
AT&T said it learned on April 19 that a “threat actor claimed to have unlawfully accessed and copied AT&T call logs.” The company said it “immediately” hired experts and a subsequent investigation determined hackers and exfiltrated files between April 14 and April 25.
The company said the US Department of Justice Department determined in May and in June that a delay in public disclosure was warranted. The FBI said AT&T reached out shortly after learning about the hack, but the agency wanted to review the data for potential national security risks.
“In assessing the nature of the breach, all parties discussed a potential delay to public reporting … due to potential risks to national security and/or public safety,” the FBI said in a statement. “AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”
AT&T shares fell 2% in premarket trading following the news.
AT&T spokesperson Alex Byers told CNN that this new incident has “no connection in any way” to an incident disclosed in March. At that time, AT&T said personal information such as Social Security numbers on 73 million current and former customers was released onto the dark web.
In the new incident, AT&T told CNN it learned in April that customer data was illegally downloaded from its workspace on Snowflake, a third-party cloud platform.
Brad Jones, chief information security officer at Snowflake, told CNN in a separate statement that the company has not found evidence this activity was “caused by a vulnerability, misconfiguration or breach of Snowflake’s platform.” Jones said this has been verified by investigations by third-party cybersecurity experts at Mandiant and CrowdStroke.
AT&T said it launched an investigation, hired cybersecurity experts and took steps to close the “illegal access point.”
The company said it’s cooperating with law enforcement’s efforts to apprehend those responsible and understands at least one person has already been arrested.
This story has been updated with additional context and developments.
Read the full article here