On July 12, 2024, AT&T disclosed a data security incident that occurred in 2022. The company confirmed that unauthorized individuals accessed customer data stored on a third-party cloud platform.
The massive cyberattack exposed data from "nearly all" of its customers and downloaded it to a third-party cloud platform, AT&T said in a press release.
"We have taken steps to close off the illegal access point," AT&T said in the statement. The company said it was working with law enforcement to identify the culprits, and that at least one person had been apprehended.
The compromised data included files containing AT&T records of calls and texts from cellular customers, wireless network customers, and landline customers between May 2022 and October 2022, and records from January 2, 2023, for a small number of customers. The records identify the telephone numbers an AT&T cellular number interacted with during those periods, but does not contain the content of calls or texts or information such as SSNs or other personally identifiable information (PII).
AT&T said customer data was "illegally downloaded from our workspace on a third-party cloud platform." While the company did not specifically name the platform, some people are questioning whether the incident is linked to a recent series of data heists from the cloud data giant Snowflake platform, where attackers compromised hundreds of Snowflake customer instances. AT&T spokesperson Andrea Huguely apparently told TechCrunch that the most recent compromise of customer records were stolen from the Snowflake platform.
[RELATED: Snowflake Data Breach Rocks Ticketmaster, Live Nation, and Others]
"Companies using Snowflake should immediately implement multi-factor authentication (MFA) to enhance security and protect sensitive data. MFA provides an additional layer of defense against unauthorized access, significantly reducing the risk of breaches," said Jason Soroko, Senior Vice President of Product at Sectigo. "This is true, not just for Snowflake, but for anyone using a third-party service via an authenticated session, that authentication needs to be using a credential stronger than just username and password."
The breach has raised concerns about the security protocols in place at both AT&T and the third-party cloud provider. While cloud platforms offer numerous advantages in terms of scalability and accessibility, they also pose unique security challenges, particularly when handling vast amounts of sensitive data.
"AT&T's latest announcement revealing another major data breach is a painful, second blow to the millions of customers who have already lost trust after having their private information exposed by the company earlier this year," said Darren Guccione, CEO and Co-Founder at Keeper Security. "Although the leaked phone records do not contain the contents of calls and text messages, they do provide records of who customers interacted with, and some include identification numbers that could help bad actors determine where calls were made and texts were sent."
"The disclosure of this information—following the leak of Social Security numbers, names, email and mailing addresses, phone numbers, dates of birth, account numbers, and passcodes—is a clear violation of personal privacy and trust," Guccione said. "These massive breaches, affecting millions of customers, underscore the persistent and evolving threats to digital security, and why everyone must take concrete, proactive steps to safeguard their own sensitive information."
Guccione continued, "Although the information in AT&T's latest breach is less sensitive than the personal details leaked in the prior breach, customers affected by either of these breaches should take the following steps to protect their identity:
- Change the password and passcode for your AT&T account immediately. A password manager can generate strong and unique passwords for every account.
- Enable MFA to add an extra layer of security that makes it more difficult for cybercriminals to access your accounts.
- Monitor your accounts for suspicious activity including strange transactions, unrecognized login attempts, and sign-ins from unknown devices.
- Sign up for a dark web monitoring service like BreachWatch® so you can be notified immediately if your information has been compromised.
- Freeze your credit to prevent lenders from approving new loans or credit lines in your name. You can unfreeze it at any time."
Upon discovering the breach, AT&T said it acted swiftly to mitigate the damage. The company's initial response involved:
-
Identifying and isolating the breach: AT&T worked closely with the third-party cloud provider to identify the source of the breach and isolate the affected systems to prevent further unauthorized access.
-
Notifying affected customers: Transparency is crucial in the wake of a data breach. AT&T promptly notified affected customers, providing them with information about the breach and advising them on steps to protect their personal information.
-
Enhancing security measures: Immediate steps were taken to bolster security, including updating access controls, enhancing encryption protocols, and conducting comprehensive security audits to identify and address potential vulnerabilities.
"Mobile devices are one of the primary targets for attackers to compromise credentials, through either phishing, malware, network, or device exploits attacks, and are often overlooked by companies as part of their overall security strategy," said Kern Smith, Vice President, Americas, at Zimperium. "It is important that organizations ensure that both they, and their vendors have appropriate security tooling in place to prevent credential compromises which can be leveraged downstream for larger attacks and breaches. As part of a comprehensive security strategy, organizations must ensure that both they, and their vendor's mobile devices are protected from these attacks."
In addition to immediate damage control, AT&T said it has implemented several long-term measures to prevent future breaches and restore customer trust:
-
Strengthening partnerships with cloud providers: AT&T is working closely with its third-party cloud providers to ensure that they adhere to the highest security standards. This includes regular security audits, compliance checks, and collaborative efforts to enhance overall data protection.
-
Investing in advanced security technologies: To stay ahead of evolving cyber threats, AT&T is investing in advanced security technologies such as artificial intelligence and machine learning. These technologies can detect and respond to threats in real-time, providing an additional layer of defense against unauthorized access.
-
Employee training and awareness: Human error remains one of the leading causes of data breaches. AT&T is ramping up its efforts to train employees on best practices for data security, emphasizing the importance of vigilance and adherence to security protocols.
-
Customer support and protection: Recognizing the potential impact on its customers, AT&T is offering additional support services. This includes providing access to credit monitoring and identity theft protection services to help affected customers safeguard their personal information.
"This breach is also a wakeup call for organizations to reevaluate their cybersecurity strategies, emphasizing proactive measures over reactive responses. As cyber threats evolve, organizations must prioritize protecting customer data," Guccione said. "Today, identity applications require both authentication and end-to-end encryption to provide robust cybersecurity protection. Cybersecurity technologies protecting these environments must cover every user, on every device, from every location."
