The call and text message records from mid-to-late 2022 of tens of millions of AT&T cellphone customers and many non-AT&T customers were exposed in a massive data breach, the telecom company revealed Friday.
AT&T said the compromised data includes the telephone numbers of “nearly all” of its cellular customers and the customers of wireless providers that use its network between May 1, 2022 and October 31, 2022.
The stolen logs also contain a record of every number AT&T customers called or texted – including customers of other wireless networks – the number of times they interacted, and the call duration.
Importantly, AT&T said the stolen data did not include the contents of calls and text messages nor the time of those communications.
The records of a “very small number” of customers from January 2, 2023, were also implicated, AT&T said.
“We have an ongoing investigation into the AT&T breach and we’re coordinating with our law enforcement partners,” the FCC said on social media platform X.
The company blamed an “illegal download” on a third-party cloud platform that it learned about in April – just as the company was grappling with an unrelated major data leak.
AT&T says that the exposed data is not believed to be publicly available, however CNN was unable to independently verify that assertion.
AT&T spokesperson Alex Byers told CNN that this was an entirely new incident that had “no connection in any way” to another incident disclosed in March. At that time, AT&T said personal information such as Social Security numbers on 73 million current and former customers was released onto the dark web.
“We sincerely regret this incident occurred and remain committed to protecting the information in our care,” the company said in a statement about the latest breach.
AT&T listed approximately 110 million wireless subscribers as of the end of 2022. AT&T said international calls were not included in the stolen data, with the exception of calls to Canada.
The breach also included AT&T landline customers who interacted with those cell numbers.
AT&T said that contents of the calls or texts, personal information such as Social Security numbers, dates of birth, or customer names were not exposed in this incident, however the company acknowledged that publicly available tools can often link names with specific phone numbers.
Additionally, AT&T said that for an undisclosed subset of its records, one or more cell site identification numbers linked to the calls and texts were also exposed. Such data could reveal the broad geographic location of one or more of the parties.
AT&T believes that at least one person involved in the cybercriminal incident is in custody, the company said in a filing with the Securities and Exchange Commission. The FBI declined to comment when asked about that statement.
AT&T promised to notify current and former customers whose information was involved and provide them resources to protect their information.
Usage details such as the time of calls and text messages were not compromised either. But AT&T spokesperson Byers told CNN that the number of calls and text messages, and total call durations for specific days or months were exposed.
That means the data would not identify precisely when one phone number called another but could reveal how often two parties called each other – and how long they spoke for – on specific days.
AT&T said it learned on April 19 that a “threat actor claimed to have unlawfully accessed and copied AT&T call logs.” The company said it “immediately” hired experts and a subsequent investigation determined hackers had exfiltrated files between April 14 and April 25.
Justice Department delays public disclosure
The company said the US Department of Justice Department determined in May and in June that a delay in public disclosure was warranted. The FBI said AT&T reached out shortly after learning about the hack, but the agency wanted to review the data for potential national security or public safety risks.
“In assessing the nature of the breach, all parties discussed a potential delay to public reporting… due to potential risks to national security and/or public safety,” the FBI said in a statement. “AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”
This appears to be the first cyber incident in which the Justice Department has asked a company to delay filing a disclosure with the SEC because of potential national security or public safety concerns.
“This is very concerning. This information is very valuable to cyber criminals and to nation-states,” Sanaz Yashar, co-founder and CEO of cybersecurity firm Zafran, told CNN.
Yashar, previously an Israeli cyber spy, said threat actors can correlate the cell ID data with other information readily available to pinpoint where someone works – including at sensitive locations like the White House and Pentagon.
“You don’t need the timestamp. If someone is there everyday, you can understand they work there and their routine. This is very secret information and a way that spies do stuff.”
Justin Sherman, founder of Global Cyber Strategies, a consultancy, also put the potential threat in stark terms.
“Metadata about who’s communicating with who, at massive scale, enables someone to map connections between people — think journalists and sources, intelligence officers and their contacts, married people and those with whom they’re having an affair,” Sherman told CNN.
Jason Hogg, a former FBI special agent who is now executive-in-residence at Great Hill Partners, said the cell site data is “quite significant because it could allow bad actors to determine certain consumers’ geolocation, which could be used to make the social engineering attacks more believable.”
AT&T shares fell 1% on Friday following the news.
In the new incident, AT&T told CNN it learned in April that customer data was illegally downloaded from its workspace on Snowflake, a third-party cloud platform.
AT&T is only the latest major company to have data stolen via access to their Snowflake platform. Ticketmaster and Santander Bank have also recently disclosed massive data breaches linked to Snowflake. Mandiant, a Google-owned cybersecurity firm, has notified at least 165 organizations that they may have been affected by the hacking spree. Mandiant analysts said they have “moderate confidence” that the hackers are based in North America and that they collaborate with an additional person in Turkey.
Brad Jones, chief information security officer at Snowflake, told CNN in a separate statement that the company has not found evidence this activity was “caused by a vulnerability, misconfiguration or breach of Snowflake’s platform.” Jones said this has been verified by investigations by third-party cybersecurity experts at Mandiant and CrowdStrike.
AT&T said it launched an investigation, hired cybersecurity experts and took steps to close the “illegal access point.”
This story has been updated with additional context and developments.