AT&T is among the latest corporate giants to emerge as a victim of an ongoing data theft campaign targeting clients of cloud-based data storage service Snowflake. But what makes this particular data exfiltration incident worrisome is that AT&T customers’ phone numbers, as well as their calling and texting metadata, were among the purloined information.
By possessing this kind of information, attackers can potentially craft convincing social engineering messages designed to trick recipients into thinking they’re receiving a legitimate communication from someone they know.
Anyone who uses AT&T needs to practice heightened awareness moving forward, keeping their radar attuned to possible phishing, smishing and impersonation scams that leverage the stolen data.
Fortunately, the stolen data doesn’t contain names, birth dates, time stamps or personally identifying information such as Social Security numbers, and no actual content from past calls or messages are included in the records. Still, AT&T acknowledged in a filing with the Securities and Exchange Commission that one can attach an identity to a number simply by strategically leveraging certain “publicly available online tools.”
If dedicated scammers are able to accomplish this, they could then potentially sift through records looking for possible business relationships, and then craft a scam message posing as one of these contacts – perhaps a partner seeking payment for a service or an executive asking an employee to wire funds to a particular bank account.
According to AT&T’s SEC filing, the breached cloud-based workspace (later identified in reports as Snowflake) was illegally accessed between April 14 and April 25, 2024. The affected records belong to “nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network,” and involve call and text interactions that occurred between approximately May 1 and October 31, 2022, plus January 2, 2023 for a small subset of customers. Moreover, the records identity phone numbers that interacted with the affected users, including those associated with external carriers.
AT&T customers are advised to be wary of calls or texts from unidentified numbers. But even known numbers can spoofed to look like they are coming from a legitimate source. Therefore, any phone-based request to transfer money, or click on an unknown link should be treated with suspicion and confirmed with the supposed sender. AT&T provide some additional tips on an incident support page.
Asserting that it does not believe the stolen data has been made public, AT&T said in an online post that it would “provide notice to current and former customers whose information was involved along with resources to help protect their information.”
“We have taken steps to close off the illegal access point,” the company also stated. “We are working with law enforcement in its efforts to arrest those involved in the incident. We understand that at least one person has been apprehended.”
In March 2024, AT&T publicly disclosed a different breach incident, in which personal information corresponding to belonging to 7.6 million account holders and 65.4 million former account holders were found on the dark web.