AT&T Data Hack Prompts FCC Probe, Raises Broad Security Concerns

(Bloomberg) -- AT&T Inc. said on Friday that hackers stole a cache of six months worth of mobile-phone customer data, disclosing for the first time a massive cybersecurity breach that threatens national security.

The breach at the telecommunications giant included calls and text information for nearly all of its cellular customers from May 1, 2022 to Oct. 31 of that year, and it included the numbers they were calling and a smaller subset of location data.

The trove represents a potential minefield of potential privacy and national security issues, for intelligence agents, police officers, stalking victims, journalists, therapists, an endless list of disturbing possibilities. AT&T has almost 115 million customers.

The Federal Communications Commission said it was investigating the breach, and federal law enforcement authorities said they worked with AT&T to delay announcing it amid potential risks to national security or public safety. AT&T said in a statement to Bloomberg that as part of its effort to cooperate with law enforcement in their ongoing investigation into the hack, it delayed the announcement to avoid undermining law enforcement’s work. The company said it believes at least one person has been apprehended in connection with the incident. 

Related:Multifactor Authentication Is Not Enough to Protect Cloud Data

AT&T said it has taken additional security measures in response to the cyberattack, in which records were illegally downloaded from a workspace account at the cloud-service provider Snowflake Inc. The unlawful access has been shut off, the company said, adding it began notifying affected customers Friday.

But urgent questions remain, including what became of the haul of sensitive data and who was behind the hack? Did AT&T pay the hackers to keep the trove from going public?

AT&T doesn’t believe the information has become publicly available at the time of its July 12 filing on the matter with the Securities and Exchange Commission. But the company has declined to comment on other questions. It told investors it doesn’t believe the breach was likely to materially impact its financial condition or results of operations.

Tim Hickman, the head of the data, privacy and cybersecurity practice at the law firm White & Case LLP, said AT&T’s disclosure that it delayed notification of the breach until Friday indicates the stolen records no longer poses a threat. That suggests a few possible scenarios, he said: Law enforcement neutralized the threat through arrests or other measures; AT&T paid the hackers a ransom; or the company learned enough to conclude that it was no longer a threat.

Related:What Cybersecurity Defense Looks Like for School Districts

Still, the intrusion is a blow for the company, which has $122 billion in annual revenue. AT&T touts its services not only as a major retail and business provider but also as a government contractor to US intelligence and defense customers. It provides telephone service for the US military customers and a nationwide emergency response network.

The hack is also a sobering reminder that cyber crooks remain a national scourge, despite massive efforts by Western governments and security companies to thwart them.

“Between companies failing to protect consumers’ privacy and executive agencies neglecting to secure our critical infrastructure, one thing is clear: we ought to be prioritizing our cyber defenses starting yesterday,” US Senator Chuck Grassley, the Republican from Iowa, said in a statement. “From where I’m sitting, the to-do list on cyber gets longer and more urgent with each passing day.”

Within hours of the announcement, critics were warning of the potential dangers.

“An unknown entity now has an NSA-level view into Americans’ lives,” John Scott-Railton, a senior researcher at the Citizen Lab, a research group at the University of Toronto, said in a post on X. 

James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies, said that although AT&T has said no content or personally identifiable information was exposed, “You could still correlate metadata to see who is interacting to whom.”

Any intelligence agency that got hold of the information could use it to examine, for example, who in China is talking to Americans, to try to determine who might be spying for the US, Lewis said. Criminal hackers might find it harder to monetize such data, however, he said.

In its filing Friday, AT&T said the compromised records didn’t include the content of communications or personal information such as Social Security numbers. However, AT&T said the logs identify the telephone numbers with which AT&T customers — and customers of other wireless service providers that use its network — interacted during that period. 

“While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” the company said. In other words, with a little effort, someone could determine who was calling and texting with whom.

For a subset of the stolen records, identification numbers for cell sites, such as towers or antennas, was included, providing some location information on users.

A spokesperson for the US Cybersecurity and Infrastructure Security Agency said it was aware of the incident and working with AT&T and other government agencies to assess the impact.

Bloomberg News reported on April 1 that personal data from about 73 million current and former AT&T customers was leaked on the dark web. That information appeared to be from 2019 and earlier and isn’t connected to the breach reported Friday, a spokesperson told Bloomberg.

Last month, Snowflake said that hackers had targeted its customers. The intruders used stolen login details to access the accounts of as many as 165 Snowflake customers — including Lending Tree Inc., Advanced Auto Parts Inc., Pure Storage Inc. and the Ticketmaster division of Live Nation Entertainment Inc. The hackers didn’t breach Snowflake but used credentials that were available in places like cyber-criminal forums to access customer accounts, which lacked security measures such as multifactor authentication.

A spokesperson for Snowflake referred Bloomberg News to a statement from May. “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration or breach of Snowflake’s platform,” Chief Information Security Officer Brad Jones said at the time.