On Friday, AT&T disclosed a massive data breach where all customer data (110 million subscribers), including phone and text message activity, was stolen. The data doesn’t appear to include the content of those messages but all the metadata around them (numbers, times, location of towers, etc.). Yes, you read this correctly, ALL AT&T customers’ phone and text message records!! The details of the breach are only now coming to light, however the breach occurred in April and was part of a broader breach of a cloud storage provider, Snowflake. The compromise of Snowflake has also been implicated in other large data breaches including Advance Auto Parts, Ticketmaster, Santander Group and others.

There is a lot to unpack related to this breach, however I will keep this email focused on basic details and actions people can take to help protect themselves and their businesses. I will be posting a full analysis of the incident on my blog early next week.

If you or your business have AT&T mobile service, you’re impacted. This means unauthorized attackers can potentially see who you get SMS authentication tokens from, who you call on most days, who you haven’t called in a while, maybe who your accountant or broker is, or who you’re calling that you shouldn’t be! The implications of this data exposure are enormous. The attackers were able to gain a level of access usually limited to only law enforcement with very special FISA warrants.

What should I do?

• We need to make sure that everyone impacted by this knows about it. It’s the first step to ensuring people have their guard up and are less likely to fall victim to fraud attempts and manipulation.
• Advise users to request help and report any suspicious activity including emails, calls or text messages purporting to be from various support entities (Ex. Google, Apple, AT&T, Microsoft, IRS, Banks, etc.). Users should never provide personal information or click on links or download files. If they need to contact support, users should go to the institution’s authorized website and call the published support number.
• If possible, users should transition any accounts that authenticate by text message to an authenticator app that provides number matching or rotating time-based one-time passwords (TOTP). Users should prioritize their critical personal and financial accounts such as banking.
• Lastly, users should enable credit freeze’s on all three credit bureaus. I’ve posted details below about this process.

According to reporting, AT&T has been working with the FBI and paid the attacker between $300k-$1m in ransom to destroy the stolen data. However, we cannot assume the data was actually destroyed. I’ve yet to meet an honest criminal. The best course of action is to assume the worst and be prepared.

Credit Freeze is the best protection we have to safeguard our finances  

• Everyone should place a credit freeze with all 3 credit bureaus. There is no cost to enabling a credit freeze. It’s easy to do and ensures your credit and identity are protected from further or future compromise. This is recommended for everyone, even if there is no indication of compromise. https://consumer.ftc.gov/articles/what-know-about-credit-freezes-fraud-alerts You may also want to consider enabling a fraud alert if you’ve been the subject of identity theft.
  • Equifax Credit Freeze: https://www.equifax.com/personal/credit-report-services/credit-freeze/
  • Equifax Services: https://www.equifax.com/personal/credit-report-services/
  • Experian Credit Freeze: https://www.experian.com/freeze/center.html
  • TransUnion Credit Freeze: https://www.transunion.com/credit-freeze
• Request and review your free credit report to ensure no accounts have been opened without your consent. https://consumer.ftc.gov/articles/free-credit-reports#How%20To%20Get%20Your%20Free%20Credit%20Reports

Additional Resource and Details:

• https://krebsonsecurity.com/2024/07/hackers-steal-phone-sms-records-for-nearly-all-att-customers/
• https://www.forbes.com/sites/noahbarsky/2024/07/13/att-board-gifted-100-million-customers-privacy-to-hackers/
• https://www.securityweek.com/att-breach-linked-to-american-hacker-telecom-giant-paid-370k-ransom-reports/
• https://www.wired.com/story/atandt-paid-hacker-300000-to-delete-stolen-call-records/
• https://arstechnica.com/tech-policy/2024/07/nearly-all-att-subscribers-call-records-stolen-in-snowflake-cloud-hack/

As always if you have any additional questions or concerns about this latest security disclosure, please feel free to reach out.