Senators are putting pressure on AT&T to disclose more details around a massive data breach involving “nearly all” - or 110 million - of its customers, including how threat actors initially gained access to customer information.
The company first disclosed the incident on Friday, saying that between April 14 and April 25, the attackers were able to exfiltrate files containing AT&T records call and text interactions that were made between May 1 and Oct. 31, 2022, and on Jan. 2, 2023, as well as a subset of stolen records with location-related cell site identification numbers. In a letter to AT&T CEO John Stankey on Tuesday, senators Richard Blumenthal (D-Conn.) and Josh Hawley (R-Mo.), both on the U.S. Senate Subcommittee on Privacy, Technology and the Law, sought answers “about how AT&T failed to protect such profoundly sensitive information from cybercriminals.”
“While the records do not directly include names and addresses, as AT&T’s Securities and Exchange Commission filing notes, the stolen data includes location information and it is easy to find the name associated with a phone number,” according to the letter. “Taken together, the stolen information can easily provide cybercriminals, spies, and stalkers a logbook of the communications and activities of AT&T customers over several months, including where those customers live and traveled — a stunning and dangerous breach of its customers’ privacy and intrusion into their personal lives.”
An AT&T spokesperson said that the activity involves data storage and analytics company Snowflake; however, AT&T has not commented on the initial cause of the security incident outside of linking it to Snowflake, with a spokesperson telling Decipher "it is AT&T’s policy not to discuss specific details about the security of our systems."
According to Mandiant researchers, around 165 Snowflake customers have been targeted by threat actors that leveraged compromised credentials for accounts that did not have multi-factor authentication (MFA) enabled, including Ticketmaster, Santander Bank and Advance Auto Parts. When asked specifically about the AT&T incident, a Snowflake spokesperson pointed to a previously published statement by Snowflake CISO Brad Jones on the spate of attacks: "We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform."
Blumenthal and Hawley told AT&T that it has until July 29, 2024, to provide more details about how hackers behind the breach initially were able to gain access to its Snowflake services and download customer data, whether the breach included information that was stolen from a contractor, and who that contractor was. They also sent a separate letter to Snowflake CEO Sridhar Ramaswamy asking for more details about the timeline, investigation, and notification around the attacks targeting the company's customers, and asking why Snowflake had not enforced MFA for its clients.
“Disturbingly, the AT&T breach appears to have been easily preventable."
“Disturbingly, the AT&T breach appears to have been easily preventable,” said Blumenthal and Hawley. “While Snowflake, AT&T, and other clients have avoided taking direct responsibility, according to Mandiant, it appears that the cybercrime group behind the breaches obtained companies’ passwords from malware infections, including malware bundled with pirated software.”
Another one of the senators' inquiries for AT&T touched on a critical part of the breach: Why AT&T had retained months of detailed records of customer communications for an extended amount of time, why the company had uploaded that highly sensitive data into a third-party platform, and whether all of these measures are in line with AT&T’s existing policies.
The letter also asked AT&T to provide a detailed timeline of all events related to the breach (such as the date of discovery, response and remediation), which mobile virtual network operators were impacted by the breach and whether they’ve been notified, and how AT&T plans to notify and protect impacted customers.
Finally, the letter asked for more information about an ongoing investigation into a separate AT&T breach that occurred just four months ago. In March, the company had responded to a separate data set being released on the dark web, which appeared to contain data from 2019 or earlier and impacted 7.6 million current AT&T account holders and 65.4 million former account holders. The data compromised in that incident included personal information like full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, AT&T account numbers and passcodes.
In addition to answers from AT&T, senators are calling on the government to do a better job holding telecommunication carriers like AT&T and T-Mobile that have been hit by security breaches in recent years accountable for a lack of cybersecurity measures.
“This is not the first data breach revealed by a major phone company and it won’t be the last,” said Sen. Ron Wyden (D-Ore.) in a statement. “These hacks, which are almost always the result of inadequate cybersecurity, won’t end until the FCC starts holding the carriers accountable for their negligence. These companies will keep shortchanging customer security until it hits them in the wallet with billion dollar fines."