AT&T has confirmed a major data breach affecting nearly all of its wireless customers, as well as those of mobile virtual network operators (MVNOs) using AT&T’s network. Between April 14 and April 25, 2024, threat actors accessed an AT&T workspace on a third-party cloud platform, resulting in the exfiltration of sensitive customer data.
Scope and Nature of the Breach
The compromised data includes records of customer call and text interactions from May 1 to October 31, 2022, and on January 2, 2023. This data consists of telephone numbers that interacted with AT&T or MVNO wireless numbers, interaction counts, and aggregate call durations. Some records also contain cell site identification numbers, which could allow threat actors to approximate the location of customers during interactions.
Affected MVNOs
The breach impacted a wide range of MVNOs, including:
- Black Wireless
- Boost Infinite
- Consumer Cellular
- Cricket Wireless
- FreedomPop
- FreeUp Mobile
- Good2Go
- H2O Wireless
- PureTalk
- Red Pocket
- Straight Talk Wireless
- TracFone Wireless
- Unreal Mobile
- Wing
Details of the Compromised Data
Although the breach did not include the content of calls or texts, nor personal information like Social Security numbers or dates of birth, it still poses significant risks. The stolen call data records (CDRs) are valuable for intelligence analysis, as they reveal communication patterns. Jake Williams, a former NSA hacker and faculty member at IANS Research, commented, “What the threat actors stole here are effectively call data records (CDR), which are a gold mine in intelligence analysis because they can be used to understand who is talking to who — and when.”
The Third-Party Cloud Provider and the Attacker
While AT&T did not name the third-party cloud provider, Snowflake confirmed its connection to the breach, which also affected other clients such as Ticketmaster, Santander, Neiman Marcus, and LendingTree. The attackers used stolen Snowflake credentials, obtained from dark web services, to access the data.
Identified by Google-owned Mandiant as part of the financially motivated threat actor group UNC5537, the attackers demanded ransoms ranging from $300,000 to $5 million for the stolen data. This group includes members based in North America and collaborates with a member in Turkey.
Response and Mitigation Efforts
AT&T discovered the breach on April 19, 2024, and promptly initiated its response protocols. The company secured the access point used in the breach and is working with law enforcement to apprehend those involved. As of the latest reports, John Binns, a 24-year-old U.S. citizen, has been apprehended in connection with the incident. Binns was previously arrested in Turkey and indicted in the U.S. for infiltrating T-Mobile in 2021 and selling its customer data.
Impact on Customers
AT&T is notifying current and former customers whose information was compromised. Although the breached data does not include names, the availability of phone numbers and call records increases the risk of phishing, smishing, and other online fraud. Customers are advised to be vigilant and only open messages from trusted senders.
In response, Snowflake has implemented mandatory multi-factor authentication (MFA) for all users to reduce the risk of future account takeovers.
Industry-Wide Implications
This breach highlights the vulnerabilities in third-party cloud platforms and the need for robust security measures. The fallout from the Snowflake data theft has affected 165 customers, illustrating the cascading effects of cyber incidents. This event underscores the critical importance of securing access points and implementing stringent authentication protocols to protect sensitive information.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
