AT&T breach affects 'nearly all' customers' call, text records

AT&T disclosed a massive Snowflake-related data breach that affected nearly all its cellular customers.

In a statement on Friday, AT&T confirmed that customer data stored on a Snowflake-hosted cloud workspace was stolen in April. Compromised data included AT&T records of calls and text messages for cellular customers between May 1, 2022, and Oct. 31, 2022. In addition to nearly all AT&T cellular customers, the breach also affected customers of mobile virtual network operators that use AT&T's wireless network and AT&T's landline customers who interacted with the compromised cellular numbers between May and October of 2022.

AT&T said the stolen data includes call and text message records from Jan. 2, 2023, for "a very small number of customers." However, the telecommunications giant said the breach did not reveal the content of those records, Social Security numbers or other personally identifiable information.

"In April, AT&T learned that customer data was illegally downloaded from our workspace on a third-party cloud platform. We launched an investigation and engaged leading cybersecurity experts to understand the nature and scope of the criminal activity," AT&T wrote in the statement. "We have taken steps to close off the illegal access point. We are working with law enforcement in its efforts to arrest those involved in the incident."

While the statement did not name the third-party cloud platform, an AT&T spokesperson confirmed to TechTarget Editorial that the provider is Snowflake.

In an 8K filing on Friday, AT&T provided additional details about the incident, which took place between April 14 and April 25. The filing also said the U.S. Department of Justice determined on two occasions that "a delay in providing public disclosure was warranted" and that AT&T is working with law enforcement and assisting their efforts to arrest the attackers. So far, AT&T revealed that at least one person has been apprehended in relation to the data breach. However, the statement and 8K filing did not reveal the attacker's identity.

The 8K form also revealed that AT&T initially learned of the breach because a "threat actor claimed to have unlawfully accessed and copied AT&T call logs." While AT&T did not confirm ransomware gangs or extortion groups were involved, it's common for such threat actors to claim victims by posting stolen data on public data leak sites. AT&T said it "immediately activated" its incident response protocols following the claims.

John Scott-Railton, senior researcher with the Citizen Lab at the University of Toronto, stressed how vast the attack scope is in a post to X, formerly Twitter, on Friday. In addition to privacy risks from the stolen data, he expressed concern about national security implications for government officials.

STAGGERING: Nearly all @ATT customers' text & call records breached.

An unknown entity now has an NSA-level view into Americans' lives.

Damage isn't limited to AT&T customers.

But everyone they interacted with.

Also a huge national security incident given government customers… pic.twitter.com/w0gNeJduQt

— John Scott-Railton (@jsrailton) July 12, 2024

AT&T is the latest victim organization to disclose a Snowflake-related breach. In May, security vendor Mitiga disclosed that a threat group tracked as UNC5537 was using stolen credentials to compromise Snowflake customers. Last month, Mandiant provided additional information on the attack timeline, including that targeted customers had exposed credentials and did not have MFA enabled on their accounts. Other victims of the Snowflake attacks include Neiman Marcus, Santander and Ticketmaster.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.