AT&T Discloses Breach of Customer Data

As part of a regulatory filing by AT&T on 7/12, the company disclosed customer data was illegally downloaded from its third-party cloud-based data warehousing platform Snowflake.

AT&T is one of over 150 companies believed to have had data stolen from Snowflake accounts that lacked proper multi-factor authentication during a hacking spree in April and May. Other notable victims include Ticketmaster, Santander, LendingTree, and Advance Auto Parts.

AT&T Breach: What Happened?

AT&T commissioned an investigation by a leading cybersecurity vendor and found that the downloaded data included phone call and text message records of all AT&T cellular customers from May 1, 2022, to October 31, 2022, and January 2, 2023.

These records identify other phone numbers that an AT&T wireless number interacted with including AT&T landline (home phone) customers. One or more cell site ID numbers associated with the interactions are also included for a subset of the records.

At this time, AT&T does not believe the data is publicly available. AT&T continues to work with law enforcement in their efforts to arrest those involved. Based on the information available, AT&T reported that at least one person has been apprehended.

Data Involved

The call and text records identify the phone numbers with which an AT&T number interacted during this period, including AT&T landline (home phone) customers. It also included counts of those calls or texts and total call durations for specific days or months.

Data Not Involved

The downloaded data does not include the content of any calls or texts. It does not have the time stamps for the calls or texts. It also does not have any details such as Social Security numbers, dates of birth, or other personally identifiable information.

While the data does not include customer names, there are often ways to find a name associated with a phone number using publicly available reverse-lookup programs.

The Justice Department Delays Public Disclosure

The company said the US Department of Justice Department determined in May and in June that a delay in public disclosure was warranted. The FBI said AT&T reached out shortly after learning about the hack, but the agency wanted to review the data for potential national security or public safety risks.

This is the first cyber incident in which the Justice Department has asked a company to delay filing a disclosure with the SEC because of potential national security or public safety concerns.

Effectiveness of the SEC Materiality Rule

The breach points to a lack of security control testing for multi-factor authentication. As one of the world’s leading telecommunications providers, the company’s actions are alarming. A company of AT&T’s size and global impact is expected to lead the way in security and not succumb to a lack of foundational cybersecurity controls.

This incident once again focuses on the SEC requirement for publicly traded companies to report material cybersecurity incidents. What is not clear is the rule’s effectiveness which does not require the Board of Directors to have cybersecurity expertise.

Cybersecurity investigative journalist Brian Krebs wrote, “It remains unclear why so many major corporations persist in the belief that it is somehow acceptable to store so much sensitive customer data with so few security protections. That may be because, apart from the class-action lawsuits that invariably ensue after these breaches, there is little holding companies accountable for sloppy security practices.”

In AT&T’s eighty-page 2024 proxy statement, the word “cybersecurity” appears just four times — once in a director’s biography related to private equity experience and the remainder located in required board and audit committee duties verbiage.

The SEC can do better.

AT&T can do better, and its customers DESERVE better.