A search of the internet for news on the recent AT&T breach and the mind can only boggle at what’s going on with this story.
SC Media first reported on July 12 that the wireless carrier acknowledged that a data compromise involving third-party platform Snowflake included files containing AT&T call detail records (CDRs) of “nearly all” of AT&T’s cellular customers — that's well more than 100 million users.
Between reports late Friday that the federal government negotiated an SEC filing delay with AT&T and a report that AT&T paid a ransom to have the stolen data deleted, there’s been a lot of press on the case, much of it very confusing.
Here are some answers to important questions:
Why did AT&T delay filing until July 12?
AT&T first learned of the breach in April and the SEC filing is dated May 6, but the filing wasn’t made public until last Friday.
The FBI told SC Media that shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident. In assessing the nature of the breach, the FBI said all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule because of potential risks to national security and/or public safety. AT&T, FBI and the Justice Department worked collaboratively through the first and second delay process, all while sharing threat intelligence to bolster the FBI’s investigation and to assist AT&T’s incident response work.
A spokesperson for AT&T added that the telecom giant was cooperating with law enforcement in its ongoing investigation and, as part of that effort, they delayed the announcement so as to avoid undermining their work.
Why does the filing delay matter?
The filing delay is significant because it’s reportedly the first time the Justice Department has granted an exemption under the SEC’s new cybersecurity rule that went into effect last December in which companies must report a cybersecurity incident within four days.
Is it true that AT&T paid $370,000 for the hackers to delete the data?
We don’t know for sure — and both AT&T and the FBI have refused comment on the reported ransom payment. The story about the payment first broke in Wired on July 14 in which it’s alleged that AT&T paid a hacker $370,000 in Bitcoin to prevent the data from being leaked.
A researcher who uses the online name Reddington told Wired that he was contacted in April by hacker John Binns, who claimed to have obtained the call logs of millions of AT&T customers from Snowflake. For those who may remember, Binns was detained in Turkey for his alleged role in the 2021 T-Mobile breach and could be the person AT&T refers to in its public statement Friday about a person being apprehended. AT&T was reportedly supposed to send the $370,000 ransom to Binns, but ended up sending it to a ShinyHunters member since Binns was arrested in Turkey. Reddington, Binns and the ShinyHunters hacker reportedly stored the full AT&T database on a cloud server from where it was deleted after the company paid a ransom.
However, the hackers may have sent samples of the data to multiple people before it was ultimately deleted.
If AT&T did pay the ransom, was that a good move?
Narayana Pappu, chief executive officer at Zendata, said the ransom reportedly paid by AT&T is far below the average of $2 million. Would it have been a better strategy to not pay the ransom, instead of creating an incentive for this to happen again?
Pappu says “yes.” However, for a company like AT&T there are different types of risks — operational, regulatory, brand/reputational risk. Acting to get the data deleted and coming up with a mitigation plan are all part of brand/reputational risk management. AT&T stock, for example, dropped more than 1% since the breach surfaced — that's about $130 million in market cap.
Why was there so much concern in the intelligence community around the stolen call detail records?
The FBI and intelligence analysts are concerned about the CDRs because they are extremely valuable data. Agnidipta Sarkar, vice president and CISO Advisory at ColorTokens, said CDRs can reveal where someone lives, who they call more frequently than others, what they talk about, where they work, how people spend their free time, their political and religious beliefs, or typical private/sensitive conversations that require secrecy.
Sarkar said if this gets to bad actors, the information can be misused. So, is this good reason to pay the hackers?
“Maybe so," said Sarkar. “But it depends on what we are focusing on. Best practices says we must not pay, however, there could be larger issues to consider. Was delaying the disclosure helpful? We still need to find out if the authorities were able to do something with the additional time.”
Ted Miracco, chief executive officer at Approov, added that the metadata leaked in the AT&T breach is very similar in nature to the data revealed by Edward Snowden, which detailed how the National Security Agency was collecting bulk metadata from telecommunications companies, including AT&T.
Miracco said the Snowden revelations were about authorized programs under the Patriot Act and other legislation, where telecom companies were legally compelled to share data with the NSA and other agencies. The AT&T data is highly valuable for surveillance and intelligence purposes as it lets agencies track communication patterns, relationships between individuals, and potentially identify suspicious activities.
“If the leaked AT&T data was part of a government surveillance program or contained information that could compromise national security operations, the FBI would likely want to delay public disclosure to manage the situation without causing widespread panic or alerting adversaries,” said Miracco. “Keeping the breach confidential allows the government to assess the damage and take appropriate countermeasures without exposing their surveillance infrastructure.”
Miracco added that telecommunications companies like AT&T are high-value targets for nation-states and terrorist groups. He said if the attackers were able to access metadata repositories potentially used by intelligence agencies, it suggests a high level of intent and capability typically associated with nation-state actors — but as of now, there are still too many unanswered questions.
