From targeted wiretapping to mass surveillance operations, phone companies have been at the center of privacy concerns for decades, and their time in the spotlight is not over yet. On Friday, telecom giant AT&T Announced which recently suffered a data breach that affected the call and text message records of “almost all” of its customers. The company is in the process of notifying some 110 million people who were affected.
AT&T said in a statement to the U.S. Securities and Exchange Commission presentation AT&T said it learned of the data breach on April 19. The attackers exfiltrated data between April 14 and April 25. The company said in its SEC filing that the U.S. Department of Justice authorized deferred disclosure of the breach on May 9 and again on June 5, pending the investigation. AT&T added that it is “working with law enforcement in their efforts to arrest those involved in the incident.” So far, “at least one person has been detained.”
“Yes, this is really bad,” says Jake Williams, vice president of research and development at cybersecurity consultancy Hunter Strategy. “What the threat actors stole here is basically call data records. These are a goldmine in intelligence analysis because they allow someone to understand networks – who is talking to whom and when. And threat actors have data from previous attacks to map phone numbers to identities. But even without identifying data on a phone number, closed networks, where numbers are only communicating with others on the same network—are almost always interesting.”
The incident is significant not only for its magnitude and scope, but because AT&T says it is the latest in a series of data breaches that have occurred as attackers compromised organizations’ Snowflake cloud accounts. Snowflake is a data storage platform, and attackers harvested its customers’ account credentials in recent months to steal hundreds of millions of records from about 165 Snowflake customers, including Ticketmaster, Santander bank and LendingTree’s QuoteWizard.
The AT&T data comes from landline and wireless accounts and spans from May 1, 2022, to Oct. 31, 2022. A smaller, undisclosed number of people also had records from Jan. 2, 2023, stolen in the breach. The company said Friday that the data set “does not contain the content of calls or text messages” and does not include the date and time of communications. But the attackers did take phone numbers and a massive amount of so-called “metadata” about calls and texts, including who contacted whom, the duration of calls and counts of a customer’s total calls and texts. The set also includes some cell site identification numbers — essentially cell tower data that can be used to approximate a cell phone’s location when it made or received a call or text.
The data includes some records of people who are customers of telephone carriers, known as “mobile virtual network operators,” which have contracts with AT&T to use the larger company’s networks and infrastructure for their service. And, crucially, the stolen material exposes people who have no relationship with AT&T when they communicated with an AT&T customer during the relevant time periods.
