AT&T today said a breach on a third-party cloud platform exposed the call and text records of nearly all its cellular customers. The leaked data is said to include phone numbers that AT&T subscribers communicated with, but not names.
An AT&T spokesperson confirmed to Ars that the data was exposed in the recently reported attack on “AI data cloud” provider Snowflake, which also affected Ticketmaster and many other companies. As previously reported, Snowflake was compromised by a group that obtained login credentials through information-stealing malware.
“In April, AT&T learned that customer data was illegally downloaded from our workspace on a third-party cloud platform,” AT&T announced today. AT&T said it is working with law enforcement and “understands that at least one person has been apprehended.”
AT&T said it does not believe the stolen call data has been made publicly available. “The call and text records identify the phone numbers with which an AT&T number interacted during this period, including AT&T landline (home phone) customers. It also included counts of those calls or texts and total call durations for specific days or months,” AT&T said.
Records of “nearly all” AT&T customers
The data does not include the content of calls or text messages, AT&T said.
“Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022 – October 31, 2022. The compromised data also includes records from January 2, 2023, for a very small number of customers,” AT&T said.
The carrier said the breach does not include Social Security numbers, dates of birth, other personally identifiable information, or the time stamps for calls and texts. “While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” an AT&T filing with the Securities and Exchange Commission said.
AT&T’s SEC filing said the “records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included.”
AT&T said it has “clos[ed] off the point of unlawful access” and is notifying current and former customers of the breach. AT&T’s current and former customers can obtain the data that was compromised, and details on how to make those data requests are available on this page.
FBI and FCC comment
The Federal Bureau of Investigation said AT&T and law enforcement agreed to delay public reporting of the incident when the investigation began in April. The FBI provided this statement to Ars:
Shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident. In assessing the nature of the breach, all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety. AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.
The FBI declined to provide any information on the person who was apprehended. The Federal Communications Commission said it has “an ongoing investigation into the AT&T breach and we’re coordinating with our law enforcement partners.”
An AT&T spokesperson told Ars that the Snowflake breach is unrelated to another recent leak involving the data of 73 million current and former subscribers.