US telecom giant AT&T has disclosed in a regulatory filing that hackers stole the call records for tens of millions of its customers. The company also said it paid a member of the hacking team more than $300,000 to delete the data, plus provide a video demonstrating proof of deletion.
The hacker
The hacker is part of a notorious hacking group that has stolen data from a number of victims through vendor’s unsecured cloud storage accounts. The hacker told WIRED that AT&T paid the ransom in May, and provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. The publication confirmed through an online blockchain-tracking tool that a payment occurred on May 17 in the amount of 5.7 bitcoin.
Chris Janczewski, head of global investigations for crypto-tracing firm TRM Labs, also confirmed – using the company’s own tracking tool – that a transaction occurred in the amount of about 5.72 bitcoin (the equivalent of $373,646 at the time of the transaction), and that the money was then laundered through several cryptocurrency exchanges and wallets.
AT&T reportedly negotiated through an intermediary, who used the online name Reddington, acting on behalf of a member of the hacking group. Reddington received a fee from AT&T for serving in that capacity.
AT&T learned about the data theft three months ago, when Reddington notified security firm Mandiant about the breach after being contacted by another hacker. Mandiant then notified AT&T.
The hacker initially demanded $1m from AT&T but ultimately agreed to a third of that.
The stolen data
AT&T said the compromised data includes the telephone numbers of “nearly all” of its cellular customers and the customers of wireless providers that used its network between May 1, 2022 and October 31, 2022. The records of a “very small number” of customers from January 2, 2023, were also implicated, AT&T said. The stolen logs also contain a record of every number AT&T customers called or texted, including customers of other wireless networks, the number of times they interacted, and the call duration.
The hack was massive, involving 109 million customers. AT&T said international calls were not included in the stolen data, with the exception of calls to Canada.
AT&T has said it launched an investigation, hired cybersecurity experts, and has taken steps to close the “illegal access point.”
AT&T has said the stolen data did not include the contents of calls and text messages nor the time of those communications, but total call durations for specific days or months were exposed. That means the data would not identify precisely when one phone number called another but could reveal how often two parties called each other – and how long they spoke for – on specific days. And the company acknowledged that publicly available tools can be used to link names with specific phone numbers.
“We sincerely regret this incident occurred and remain committed to protecting the information in our care,” the company said in a statement about the breach.
An AT&T spokesperson said this was an entirely new incident that had “no connection in any way” to another incident disclosed in March. At that time, AT&T said personal information such as Social Security numbers on 73 million current and former customers was released onto the dark web.
This is a significant admission. What could be included in the captured communications could be conversations between people working in law enforcement or national intelligence roles, journalists talking to their sources, and technology companies discussing their work product, never mind everyday people’s medical or financial investment-related dialogues. The true nature of the data and scope of the breach is still being evaluated, though.
Federal law enforcement response
Although the company was prepared to disclose the April breach at that time, it said the US Department of Justice Department (DOJ) advised it in May and in June that a delay in issuing disclosure was warranted, as DOJ wanted to review the data for potential national security or public safety risks.
The FBI issued the following statement last week: “Shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident. In assessing the nature of the breach, all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety.
“AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work. The FBI prioritizes assistance to victims of cyber-attacks, encourages organizations to establish a relationship with their local FBI field office in advance of a cyber incident, and to contact the FBI early in the event of breach.”
The FBI said at least one arrest has been made. “In assessing the nature of the breach, all parties discussed a potential delay to public reporting … due to potential risks to national security and/or public safety,” the FBI added. “AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”
In the meantime, AT&T has said it launched an investigation, hired cybersecurity experts, and has taken steps to close the “illegal access point.”
The SEC’s rules mandate that publicly traded companies disclose a material cyber incident within four business days via an 8-K filing. But the rules note that companies can delay such disclosure for if the attorney general determines the event poses a national security risk.
Snowflake
AT&T is only the latest major company to have data stolen via access to the Snowflake platform. Ticketmaster operator LiveNation, Advance Auto Parts, LendingTree and Santander Bank (among others) have also recently disclosed massive data breaches linked to Snowflake. Snowflake disclosed the cyberattack on AT&T in late May and has enlisted the help of CrowdStrike and Alphabet’s Mandiant to investigate it.
The usernames and passwords were sufficient for the hacker to enter customers’ Snowflake environments because multi-factor authentication had not been turned on, Mandiant said.
Snowflake issued a blog post last week saying it was working on product capabilities that allow Snowflake administrators to make multifactor authentication mandatory and monitor compliance with that new MFA policy.