Telecom giant AT&T has confirmed that a significant data breach has affected nearly all its wireless customers and users of mobile virtual network operators (MVNOs) on its network.
“Between April 14 and April 25, 2024, unauthorized individuals accessed an AT&T workspace hosted on a third-party cloud platform and exfiltrated files detailing customer call and text interactions from May 1 to October 31, 2022, and January 2, 2023,” stated AT&T.
The compromised data includes telephone numbers involved in interactions with AT&T or MVNO wireless numbers, counts of those interactions, and aggregate call duration. Some records also contained cell site identification numbers, potentially enabling the attackers to estimate the location of customers when calls were made or texts were sent. AT&T will notify affected current and former customers.
Former NSA hacker Jake Williams, now with IANS Research, commented, “The stolen call data records (CDR) are invaluable for intelligence analysis, as they reveal patterns of communication.”
AT&T’s MVNO partners include brands like Black Wireless, Boost Infinite, Consumer Cellular, Cricket Wireless, FreedomPop, and more. While the third-party cloud provider was not identified by AT&T, Snowflake has acknowledged that the breach is linked to the same hack affecting other companies like Ticketmaster and Neiman Marcus.
AT&T discovered the breach on April 19, 2024, and has since collaborated with law enforcement, resulting in at least one arrest. According to 404 Media, 24-year-old U.S. citizen John Binns, previously arrested in Turkey in May 2024 and indicted in the U.S. for a 2021 T-Mobile breach, is connected to this incident.
AT&T emphasized that no content of calls or texts, nor personal information such as Social Security numbers or dates of birth, was exposed. However, caution is advised, as online tools can sometimes link telephone numbers to individual identities.
The company warns customers to be vigilant against phishing and other fraud, advising them to trust only verified senders. Affected customers can request to see which phone numbers in their interaction records were accessed.
The breach also impacted other Snowflake clients, with financial motives attributed to the threat actor UNC5537, who operates across North America and Turkey. Hackers have demanded ransoms ranging from $300,000 to $5 million for the stolen data, escalating the impact of the cyber attack.
WIRED reported that the attackers obtained Snowflake credentials from dark web services, including access through a third-party contractor, EPAM Systems. In response, Snowflake has implemented mandatory multi-factor authentication (MFA) for all users and will soon require MFA for new accounts.