wei - stock.adobe.com

AT&T loses ‘nearly all’ phone records in Snowflake breach

Hackers have stolen records of virtually every call made by AT&T's customers during a six-month period in 2022, after compromising the US telco's Snowflake data environment

AT&T, one of the largest and oldest telecoms and mobile network operators in the United States, has lost control of the phone records of virtually all of its customers relating to a six-month period in 2022, amid a still-expanding series of breaches affecting customers of cloud data specialist Snowflake.

In a filing with the Securities and Exchange Commission (SEC), the firm said it first learned of the incident on 19 April 2024, when a threat actor claimed to have accessed and copied its call logs. It activated its cyber incident response process at that time in response.

In its SEC statement, AT&T said: “Based on its investigation, AT&T believes that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between 14 April and 25 April 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately 1 May and 31 October, 2022, as well as on 2 January, 2023.

“The data does not contain the content of calls or texts, personal information such as social security numbers, dates of birth, or other personally identifiable information,” said the organisation.

“Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network. These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month.

“For a subset of records, one or more cell site identification number(s) are also included. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” it said.

The telco’s customers can learn more about the incident and the steps that they should now take to protect themselves from the possibility of follow-on attacks, by navigating its support homepage. Affected customers are in the process of being contacted.

“The breach against AT&T is huge and will certainly worry any customer whose data has been leaked. Customers should exercise extreme caution and be on the lookout for any potential phishing attacks or other types of fraud. With the type of data stolen, SMS phishing could be particularly prevalent,” said Rapid7 senior director of threat analytics, Christiaan Beek.

The Snowflake connection

Speaking to TechCrunch, AT&T spokesperson Angela Huguely confirmed that the incident arose when the telco’s Snowflake environment was accessed by cyber criminals.

AT&T now joins a growing list – thought to number over 160 – of Snowflake customers to have been breached recently, likely by a financially-motivated cyber criminal group tracked by investigators at Mandiant as UNC5537. This list most prominently includes firms such as Ticketmaster and Santander.

Podcast: The Snowflake incident

In this podcast released on 5 June 2024, the team at TechTarget's SearchSecurity discusses the recent attacks against Snowflake customers amid a controversial, and since retracted, Hudson Rock report that claimed the cloud storage and analytics giant had been breached. Listen here.

To date, Snowflake’s investigation, which was conducted alongside cyber experts from Google Cloud's Mandiant and Crowdstrike, has found no evidence to suggest the cyber attacks on its customers were caused by any vulnerability, misconfiguration or breach of its platform.

Rather, it maintains, the incidents seem to have arisen due to security hygiene issues at the victim organisations themselves – investigators have found evidence of infostealing malware secreted on third-party contractor systems used to access the compromised firms’ IT systems. AT&T has not addressed this point or provided any information on whether or not this was the case in its incident.

“An organisation is only as secure as its weakest third-party network, and security protocols are only effective if all of their third-party providers are equally secure,” said Rapid7’s Beek.

“Cyber criminals are aware of this and will attempt to breach the weakest link in the chain to gain access to systems and steal highly sensitive data. The sheer amount of personal information stored means it’s even more important that supply chains are secured."

Beek added, “To protect supply chains, organisations should maintain a good standard of cyber hygiene, including the enforcement of multi-factor authentication (MFA). Additionally, network perimeter devices are primary targets for attackers; therefore, critical vulnerabilities in these technologies need to be remediated immediately.”

However, there has been confusion over the precise nature of the Snowflake-related breaches thanks to a group going by the name ShinyHunters – also the operator of the recently disrupted BreachForums data leak "service" – which has repeatedly claimed it was behind the incidents and that it did hack Snowflake’s systems.

In mid-June, a representative of the ShinyHunters collective claimed via an interview with Wired that it accessed Snowflake’s customers through a breach of Belarus-based contractor EPAM. As in all instances where threat actors speak publicly, these claims should be treated with extreme scepticism, and EPAM has itself refuted ShinyHunters’ claims, saying it had been targeted in a misinformation campaign.

The true nature of the ongoing incidents will likely only become clear in the future following multiple parallel investigations.

MFA by default

Earlier this week, Snowflake enacted a major policy change designed to help customers maintain the security of their environments when it beefed up its MFA offering.

The enhanced policies are based on three pillars: prompt, encouraging users to adopt MFA; enforce, allowing administrators to enable MFA by default; and monitor, checking which users have not set up MFA.

Going forward, individual Snowflake users will be prompted to enable MFA and walked through the process. While they will be able to dismiss the prompt, it will reappear after 72 hours if no action is taken.

Admins, meanwhile, will be able to take advantage of a new option that requires MFA for all users in an account, the scope of which can be applied to local users only, or to include single sign-on users as well.

Finally, Snowflake has made a scanning package available to look for MFA and network policy compliance by default and free of charge in all editions.

Javvad Malik, lead security awareness advocate at KnowBe4, said: “It's good to hear that Snowflake is enabling MFA by default. From an account protection perspective, MFA is probably one of the single most effective controls to have in place. Given all the attacks against accounts, including credential stuffing - more organisations should enable MFA by default.”

Next Steps

Risk & Repeat: AT&T's Snowflake database breached

Read more on Data breach incident management and recovery