In the latest major cybersecurity incident, AT&T has revealed a significant data breach affecting nearly all its wireless customers. The breach, which involves call data records (CDRs) from May 1, 2022, to October 31, 2022, and a limited set from January 2, 2023, has far-reaching implications for both individuals and organizations. The compromised data includes source and destination numbers, and for some, cell site information that can offer a rough geolocation of the AT&T customer.
The stolen CDRs are a gold mine for intelligence analysis, allowing threat actors to understand networks by identifying who’s communicating with whom and when. Even without direct identification data, the analysis of communication patterns can reveal sensitive relationships and operational details. This breach highlights the importance of protecting metadata, as it’s almost as valuable as the content of the communications themselves.
AT&T’s case also triggers a complex set of regulatory and notification challenges. While it’s clear that phone numbers are protected under many privacy frameworks, including GDPR, AT&T claims that the only international call records affected were those from Canada. This limits the immediate GDPR implications, but does not eliminate the need for scrutiny. Businesses using AT&T wireless to communicate with customers must consider their notification requirements. It remains to be seen if AT&T will handle breach notifications on behalf of affected customers, a process that could become complicated by the need to identify victims outside of AT&T's direct customer base.
Why blame Snowflake?
I have a hard time with all the blame Snowflake has received. They had to balance customer adoption with ease of use and didn't force users to employ stronger security settings. But those more secure configuration options were available. I'm comparing this to a car in the 1980's that came with a seat belt, but didn't sound an alarm when the driver was unbuckled. If the manufacturer provided a safety option and the driver chooses not to use and gets hurt, who’s at fault? That said, I think we can all agree people are safer when the car screams at the driver if their belt is unbuckled. Snowflake in this analogy is the 1980's era car.
Organizations need to understand that they may be affected by this breach even if they are not AT&T customers. If they work with a mobile virtual network operator (MVNO) that uses AT&T’s network, they may still have exposure. Threat actors can use the data to identify organizations using SMS-based multi-factor authentication (MFA), potentially accelerating attacks. As such, organizations should expedite the transition from SMS-based MFA to more secure alternatives.
The AT&T breach serves as a reminder of how threat actors leverage data from multiple incidents to amplify their impact. Previous breaches that mapped phone numbers to identities make the newly stolen data more exploitable. Organizations must continually reassess their security posture and ensure they are following best practices in data protection and breach response. Here are some important takeaways for security pros:
- Companies that don’t have AT&T accounts are still at risk: Even if the company isn’t an AT&T customer, it may still have some exposure if it works with an MVNO that piggybacks on AT&T’s network.
- Expect lateral movement: Threat actors might use this data (if publicly exposed) to connect an organization to other organizations. This may create new risks if the company has been trying to keep those associations out of the public view.
- Move off SMS-based MFA: Threat actors might use this data to understand who’s using SMS-based MFA. In some cases, they might use this to determine which services are in use. To the extent we still rely on SMS-based MFA, we should consider migrating those apps ASAP.
- This case will have a long tail: We may have our own breach notification requirements coming from this breach of AT&T’s data.
- Don’t underestimate the bad guys: This compromise demonstrates yet again how threat actors may combine data from previous incidents to exacerbate impacts. Previous AT&T incidents mapped customer phone numbers to other identifying information, simplifying the weaponization of the newly-compromised data.
I consider the AT&T data breach a critical incident with extensive implications. It reinforces the need for robust security measures and the importance of protecting metadata. Organizations must take proactive steps to mitigate their exposure, ensure compliance with regulatory requirements, and enhance their overall security posture. As we navigate the fallout from this breach, it’s clear that cybersecurity must remain a top priority for both individual users and organizations.
Jake Williams, former NSA hacker, faculty, IANS Research
