A massive data breach at AT&T that exposed nearly all its wireless customers has been linked to the recent attacks targeting Snowflake customers.
AT&T on Friday said almost all its wireless subscribers were exposed in a massive hack that occurred between April 14 and April 25, 2024, where a hacker exfiltrated files containing “records of customer call and text interactions” between approximately May 1 and October 31, 2022, as well as on January 2, 2023.
In an SEC filing, the global telecommunications giant said the stolen data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information.
“Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network,” the company disclosed in the filing. “These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included.”
The company also explained that while the data does not include customer names, there are ways to find the name associated with a specific telephone number via publicly available online tools.
While it did report the incident to the SEC, AT&T claims the incident “has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations.”
How did AT&T get hacked?
AT&T said customer data was “illegally downloaded from our workspace on a third-party cloud platform.” While the company did not specifically name the platform, multiple sources have linked the incident to a recent series of data heists from the Snowflake platform, where attackers compromised hundreds of Snowflake instances.
In June, Mandiant said a financially motivated threat actor tracked as UNC5537 had compromised hundreds of Snowflake instances using customer credentials stolen via infostealer malware that infected non-Snowflake owned systems.
AT&T said it does not believe that the stolen data is currently publicly available, and that at least one person has been apprehended.
Ticketmaster, Santander Bank, Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive, and State Farm were previously named as potential victims in the Snowflake attack campaign.
Related: Snowflake Data Breach Impacts Ticketmaster, Other Organizations
Related: AT&T Data Breach Update: 51 Million Customers Impacted
Related: AT&T Says Data on 73 Million Customers Leaked on Dark Web
