Analysis Summary

The American telecom service provider AT&T has acknowledged that threat actors were able to obtain data belonging to almost all of its cellular customers as well as clients of mobile virtual network operators (MVNOs) that use AT&T's wireless network.

The company said that between April 14 and April 25, 2024, threat actors gained unauthorized access to an AT&T workspace on a third-party cloud platform. From there, they exfiltrated files that contained AT&T call and text records of customer contacts that happened between May 1 and October 31, 2022, as well as on January 2, 2023.

This includes phone numbers of AT&T landline customers and customers of other carriers, counts of those encounters, and the total call time for a day or month. It also includes phone numbers with whom an AT&T or MVNO cellphone number interacted. When a call or text message was placed, the threat actors might have been able to determine the approximate position of the client thanks to the inclusion of one or more cell site identification numbers in a portion of these records. If any of its previous or present customers' information was compromised, AT&T promised to notify them.

The threat actors have mapped phone numbers to individuals using information from earlier breaches. The call data records (CDR) that the threat actors stole in this instance are essentially a gold mine for intelligence research because they can be utilized to determine who is speaking to whom and when. Black Wireless, Boost Infinite, Consumer Cellular, Cricket Wireless, FreedomPop, FreeUp Mobile, Good2Go, H2O Wireless, PureTalk, Red Pocket, Straight Talk Wireless, TracFone Wireless, Unreal Mobile, and Wing are among the MVNOs offered by AT&T.

AT&T withheld the identity of the third-party cloud service; however, Snowflake subsequently verified that the breach was linked to the attack that affected other clients, including Ticketmaster, Santander, Neiman Marcus, and LendingTree. The company reported that as soon as it learned about the incident on April 19, 2024, it launched its response plans. It added that at least one individual has been taken into custody and that it is assisting law authorities in their attempts to apprehend those responsible.

AT&T made clear, though, that the information that was accessed did not contain any call or text content, personal data like dates of birth or Social Security numbers, or any other information that might be used to identify an individual. Even though customer names are not included in the data, there are methods to locate the name linked to a particular phone number utilizing freely accessible internet resources.

Additionally, users are advised to only open text messages from reliable senders to avoid falling victim to online fraud schemes like phishing and smishing. Clients also have the option to obtain the phone numbers from calls and texts they made using the data they downloaded unlawfully. The AT&T data breach is still being looked into, according to the U.S. Federal Communications Commission (FCC), which is also working with law enforcement on this.

Impact

• Unauthorized Access
• Data Exfiltration
• Information Theft

Remediation

• Use strong, unique passwords for sensitive accounts. Regularly change passwords for all accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders
• Improve communication with customers by providing timely and transparent updates about data breaches, including what information was compromised and the steps being taken to mitigate the impact.
• Ensure that all vendors and third-party partners adhere to stringent security protocols and regularly assess their cybersecurity practices to minimize the risk of data breaches originating from external sources.
• Provide affected customers with comprehensive support, including credit monitoring services, identity theft detection, and resolution assistance, to help mitigate the potential consequences of the breach.