AT&T said Friday that cybercriminals had stolen call records from “almost all” of its customers, a data breach that will force the company to notify about 110 million people.
AT&T said the stolen data included records of which phone numbers certain customers called and texted, as well as the total number of calls and text messages and the duration of calls, for a six-month period between May 1, 2022 and Oct. 31, 2022. AT&T said the stolen data did not include the content, times or dates of calls or text messages.
AT&T said that for some affected customers, cybercriminals were also able to steal cell tower identification numbers linked to phone calls and text messages, meaning someone could potentially use this information to determine the customer's approximate location when they made a particular call or sent a text message and infer sensitive information about the customer's life.
“This could potentially reveal who is secretly communicating with whom, including where they live, where they work, where they spend their free time, infidelity or criminal communications, and typically private conversations that need to be kept secret,” said Rachel Toback, a social engineering expert and founder of cybersecurity firm Social Proof Security. “This is a big deal for those affected.”
AT&T claims the incident is the result of a recent data breach at cloud service provider Snowflake, which has affected dozens of companies, including Ticketmaster, Santander Bank and LendingTree subsidiary QuoteWizard. At this time, it is unclear who was behind the Snowflake data breach. Mandiant, the cybersecurity firm that Snowflake hired to investigate, said financially motivated cybercrime group UNC5537 was involved.
The type of data stolen in the AT&T data breach is commonly referred to as metadata because it doesn't include the content of calls or texts, only information about those calls and texts. However, that doesn't mean it's without risk for victims of this breach.
Toback said this kind of data makes it easier for cybercriminals to impersonate trusted people, making it easier to launch more believable social engineering and phishing attacks against AT&T customers.
Contact Us Do you have more information about the AT&T incident or the Snowflake breach? You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device on Signal (+1 917 257 1382), Telegram, Keybase, Wire @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
“The stolen metadata could allow attackers to know exactly who you're likely to receive calls from, who you're likely to hear back from, how long you've been communicating with that person, and even where you were during the conversation,” Toback said.
“Even if you're not doing anything 'important' or 'sensitive', who you talk to, when and how often is personal to you and should remain private as well,” said Luna Sandvik, founder of Granit, a company that helps keep journalists and activists safe.
“I think everyone should be very angry about this and demand that telcos do better. It's not enough to say, 'We're sorry your data was stolen and we take this very seriously,'” Sandvik told TechCrunch.
Sandvik said he was more concerned about high-risk individuals who fell victim to the breach: “Some people might consider changing their phone numbers and using a different provider, but it depends on the situation.” High-risk individuals could also include those who have reason to conceal their identities, such as victims of domestic violence.
Sandvik also said that using encrypted chat apps such as Signal or WhatsApp, which don't retain the type of metadata that AT&T lost, may be better in terms of security because these companies have a good track record of protecting user data.
Jake Williams, a cybersecurity expert and former NSA hacker, told TechCrunch that the AT&T breach makes the risks greater for corporate and intelligence targets.
“Threat actors can use this data to create patterns of life,” Williams said. “Call data records provide extremely valuable information for intelligence analysts.”
Williams also said it's possible that hackers could combine this data with data from data breaches, since “in the previous AT&T incident, customer phone numbers were mapped to other identifying information, making the newly compromised data easier to weaponize.”
Call and text metadata has traditionally been valuable information to intelligence agencies: Documents leaked by former NSA contractor Edward Snowden more than a decade ago revealed that the National Security Agency obtained large amounts of customer metadata from Verizon “on a continuous, daily basis.”
The U.S. government has long argued the practice is an essential tool for fighting terrorism, and successive administrations over the past decade have been reluctant to give up the capability. “There's a reason telecommunications companies are so frequently targeted by foreign intelligence services,” a former intelligence official, who requested anonymity because he wasn't authorized to speak to the press, told TechCrunch, citing efforts to identify potential sources and assets.
“Essentially, this data is a gold mine for understanding who's spoken to who and can be used for human resource development, for example,” Williams said.