Call logs and text records belonging to 109 million people have been exposed in a breach at US telco AT&T. According to a Form 8-K filing with the US Securities and Exchange Commission (SEC), the records date from 1 May to October 31 2022 and on 2 January 2023 and were stolen from the US telco’s Snowflake account between 14-25 April – though it learned that hackers were claiming to have taken by 19 April. AT&T confirmed that none of the data contained any content of calls or texts or any personally identifiable information.
“AT&T immediately activated its incident response process to investigate and retained external cybersecurity experts to assist,” wrote the company in its Form 8-K Filing. “AT&T has taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access. AT&T will provide notice to its current and former impacted customers.”
AT&T permitted to defer disclosure of hack by DoJ
Though it took place in April, the US Department of Justice twice permitted AT&T to delay public disclosure of the breach. The telco said that it did not believe any of the data stolen in the hack had yet been made public and that the incident was unlikely to “materially impact” its finances or operations.
The impact on customers is harder to fathom. Though no personal data was contained in the exfiltrated data, said AT&T, “there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”
It’s also not the first time this year that the US telco has been victim to a breach. In early April AT&T reported that 73 million current and former account holders with the firm were potentially impacted by the leak, which included customer passcodes and Social Security numbers dating to 2019. That followed another breach report by the firm in March 2023 in which 9 million customers were affected.
Campaign against Snowflake appears to claim new corporate victim
AT&T appears to be the latest victim of a cybercriminal campaign against cloud storage firm Snowflake earlier this year. According to cybersecurity firm Mandiant, at least 165 customer accounts at the cloud storage company have been potentially compromised by a threat actor it calls UNC5537. This cybercriminal gang, said Mandiant, “is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.” That campaign has been linked to massive breaches at Santander, Ticketmaster and other major companies – though Snowflake has denied that these incidents originated with any of its compromised accounts.