AT&T, a major telecom and mobile network operator in the US, has experienced a significant data breach affecting the phone records of its customers for a six-month period in 2022. The breach was part of a series of incidents impacting customers of Snowflake, a cloud data specialist.
AT&T discovered the breach on April 19, 2024, when a threat actor claimed to have accessed and copied its call logs. The company initiated its cyber incident response process at that time.
According to AT&T’s SEC filing, the unauthorized access occurred on a third-party cloud platform between April 14 and April 25, 2024. The stolen files contained customer call and text records from May 1 to October 31, 2022, and January 2, 2023. Fortunately, the data did not include sensitive personal information.
The compromised records included details of calls and texts for almost all of AT&T’s wireless customers and customers of mobile virtual network operators (MVNOs) using AT&T’s network. The information identified phone numbers that interacted with AT&T numbers, the frequency of interactions, and call durations.
AT&T is reaching out to affected customers to provide guidance on protecting themselves from potential follow-on attacks. Rapid7’s Christiaan Beek cautioned customers to be vigilant against phishing attempts and other fraudulent activities.
The Snowflake connection
AT&T confirmed that the breach occurred through its Snowflake environment. The incident links AT&T to a growing list of Snowflake customers affected by cybercriminals, including Ticketmaster and Santander.
Snowflake investigations revealed that the breaches were a result of security lapses at the victims’ end. These incidents underscore the importance of securing third-party networks to prevent data breaches.
Rapid7’s Beek emphasized the need for organizations to prioritize cyber hygiene, including implementing multi-factor authentication (MFA) and promptly addressing vulnerabilities in network devices.
Confusion abounds
Confusion surrounds the nature of the Snowflake-related breaches following claims by a group called ShinyHunters. The group alleged responsibility for the breaches but has faced skepticism, with EPAM, a Belarus-based contractor, denying any involvement.
The ongoing investigations will likely shed light on the true extent of the breaches and the parties involved.
MFA by default
Snowflake recently implemented changes to enhance security, including a new policy for multi-factor authentication (MFA). The policy encourages users to enable MFA, allows admins to enforce it by default, and provides monitoring capabilities for compliance.
These measures aim to strengthen account protection and combat cyber threats like credential stuffing. Security experts recommend enabling MFA by default to safeguard sensitive data.
