What you need to know
- Hackers stole phone records of over 100 million AT&T customers from 2022, including phone numbers, call/text counts, durations, and cell site IDs.
- AT&T reported the breach to the SEC and is working with law enforcement, leading to the arrest of a suspect.
- Mandiant attributed the breach to UNC5537, likely motivated by financial gain.
Hackers nabbed phone records of over 100 million AT&T customers from 2022, including data such as phone numbers, call/text counts, durations, and cell site identification numbers, TechCrunch reports.
AT&T has already reported the data breach to the U.S. Securities and Exchange Commission. The company is also working closely with law enforcement to sort this out, and it’s paying off—they've already caught a suspect linked to the breach.
In its SEC filing, AT&T disclosed that cybercriminals accessed and stole customer call and text data covering May 1, 2022, to October 31, 2022, plus another breach on January 2, 2023, affecting a few customers. The investigation shows the breach happened between April 14 and April 25, 2024.
Furthermore, AT&T told TechCrunch that the data breach affected customers of other networks using AT&T’s infrastructure. This includes call records for users of Cricket Wireless, Boost Mobile, and Consumer Cellular.
AT&T says it will reach out to all 110 million affected customers soon to keep everyone in the loop about the breach. Plus, it has set up a website where you can find answers and info about what happened.
An AT&T spokesperson confirmed to TechCrunch that the breach stemmed from a hacked account on Snowflake, a third-party cloud platform. Similar breaches at Ticketmaster and QuoteWizard were also linked to Snowflake. The cloud company blamed the lack of multi-factor authentication on the AT&T account, underscoring the need for strong cybersecurity from both customers and vendors.
Snowflake allows companies to keep extensive customer data in the cloud for analysis. AT&T hasn't clarified why it wants to analyze such large amounts of data or why it's using Snowflake for storage, as per TechCrunch.
Cybersecurity experts at Mandiant have attributed the data breach to UNC5537, an unidentified cybercriminal group. Mandiant suggests the attack was likely financially motivated, meaning the stolen data could be used for fraud.
At the very least, hackers didn't access the content of calls and texts, or any personal information like names, Social Security numbers, or dates of birth. However, even though customer names weren't part of the breach, it's still possible to match a name with a phone number using online tools.
A big issue here is the delay in telling the public. AT&T knew about the breach in April but held off on announcing it twice. TechCrunch reports that the FBI, AT&T, and the Department of Justice agreed to keep it quiet due to national security and safety concerns. The specifics aren't clear, but this delay raises transparency questions and shows how tricky balancing cybersecurity and national security can be.
This recent breach is another hit to AT&T's cybersecurity efforts, coming soon after a separate leak earlier this year that affected over 70 million customers. While AT&T claims the incidents are unrelated, the back-to-back breaches raise serious questions about the company's data security strategy and its ability to protect customer information.