US mobile phone giant AT&T confirmed on Friday that it will begin notifying millions of consumers about a new data breach that allowed cybercriminals to steal the call records of “almost all” of its customers, a company spokesperson told TechCrunch.
AT&T said in a statement that the stolen data included mobile and landline customer phone numbers, as well as call and text message records for a six-month period between May 1, 2022 and Oct. 31, 2022, including who called and texted who.
AT&T said the stolen data also included records relating to a small number of more recent, unspecified customers as of Jan. 2, 2023.
The company said the stolen data also included call records of customers whose phone services are with other mobile phone companies that rely on AT&T's network.
AT&T said the stolen data “does not include the content of calls or texts,” but does include information known as metadata, such as records of calls and texts made to AT&T numbers over a six-month period, the total number of calls and texts made by customers, and the duration of calls. The stolen data does not include the dates and times of calls or texts, AT&T said.
Among the stolen records are cell site identification numbers associated with phone calls and text messages, and that information can be used to pinpoint the approximate location of where a call was made or a text message was sent.
Company spokesperson Andrea Huguely told TechCrunch that the company plans to notify AT&T's approximately 110 million customers about the data breach.
AT&T posted information about the data incident on its website for customers, and also disclosed the breach in a regulatory filing before the market opened on Friday.
Snowflake-related breaches
AT&T said it learned of the data breach on April 19 and that it was unrelated to an earlier security incident in March.
AT&T's Huguely told TechCrunch that the latest breach of customer records was stolen from the company in a series of recent data thefts targeting customers of cloud data giant Snowflake.
Snowflake allows tech companies, telecommunications companies and other business clients to analyze vast amounts of customer data in the cloud. It's unclear why AT&T was storing its customers' data on Snowflake, and a spokesperson declined to comment.
AT&T is the latest company to acknowledge that data was stolen from Snowflake in recent weeks, joining Ticketmaster and LendingTree subsidiary QuoteWizard, among others.
Snowflake blamed the data theft on customers not using multi-factor authentication to secure their Snowflake accounts, a security feature the cloud data giant did not enforce or require customers to use.
Mandiant, a cybersecurity incident response firm that Snowflake enlisted to help notify customers, later said “large amounts of data” had been stolen from the customer accounts of approximately 165 Snowflake customers.
Mandiant attributed the intrusion to an as-yet-unclassified cybercrime group tracked only as UNC5537. Mandiant researchers said the hackers were financially motivated and had members across North America, with at least one in Turkey.
Some of the other companies that were victims of Snowflake's account theft have since had their data published on cybercrime forums, though AT&T said it doesn't believe the data has been made public at this time.
According to a statement from AT&T, the company is working with law enforcement to apprehend the cybercriminals involved in the breach. AT&T said that “at least one arrest has been made.” An AT&T spokesperson said that the individuals arrested are not AT&T employees, but referred questions about the suspects to the FBI.
An FBI spokesperson confirmed to TechCrunch on Friday that after the mobile phone giant contacted the FBI to report the breach, AT&T, the FBI and the Department of Justice agreed to a second delay in notifying the public and customers, citing “potential risks to national security and public safety.”
“AT&T, the FBI and DOJ worked together throughout the first and second deferral processes, sharing significant threat information to enhance the FBI's investigative powers and assist AT&T in its incident response efforts,” an FBI spokesperson said.
The FBI did not comment on the arrest of one of the cybercrime suspects.
This is the second security incident that AT&T has disclosed this year, forcing the company to reset millions of customer account passcodes after a cache of customer account information, including encrypted passcodes to access AT&T customer accounts, was exposed on a cybercrime forum. At the time, security researchers told TechCrunch that the encrypted passcodes were easy to crack, and AT&T took precautions to secure customer accounts.
Read more on TechCrunch:
Updated with comment from the FBI.