On Friday, AT&T said cybercriminals stole the phone records of “nearly all” of its customers, a data breach that will force the company to notify around 110 million people.
AT&T said the stolen data included records like what phone numbers a certain customer called and texted, the total count of calls and texts, and call durations for a six-month period between May 1, 2022 and October 31, 2022. AT&T said the stolen data does not include any content of calls or texts, nor their time or date.
For some of the affected customers, the cybercriminals were also able to steal cell site identification numbers linked to phone calls and text messages, according to AT&T. This means that — potentially — someone could use this information to figure out the approximate location of a customer when they made a certain call or sent a text, and perhaps infer sensitive information about their lives.
“This can reveal where someone lives, works, spends their free time, who they communicate with in secret including affairs, any crime based communication, or typical private/sensitive conversations that require secrecy,” said Rachel Tobac, a social engineering expert and founder of cybersecurity firm SocialProof Security. “This is a big deal for anyone affected.”
AT&T blamed the incident on a recent breach at cloud service provider Snowflake, which has affected dozens of companies, including Ticketmaster, Santander Bank, and LendingTree subsidiary QuoteWizard. At this point, it’s unclear exactly who was behind the Snowflake breach. Mandiant, the cybersecurity firm hired by Snowflake to investigate, said a financially motivated cybercriminal group they identify as UNC5537 was responsible.
The type of data stolen in AT&T’s data breach is typically referred to as metadata because it doesn’t include the contents of calls or texts, but only information about those calls and texts. That, however, doesn’t mean there are no risks for the victims of this breach.
Tobac said that this type of data makes it easier for cybercriminals to impersonate people you trust, making it easier for them to craft more believable social engineering or phishing attacks against AT&T customers.
Do you have more information about this AT&T incident? Or about the Snowflake breach? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
“The attackers know exactly who you’re likely to pick up a call from, who you’re likely to text back, how long you communicate with that person, and even potentially where you were located during that conversation due to the metadata that was stolen,” said Tobac.
Runa Sandvik, the founder of Granitt, a firm that helps journalists and activist be more secure, said that “even if you don’t do anything ‘important’ or ‘sensitive,’ who you talk to; when; and how often is still personal to you and should remain private to you as well.”
“I think everyone should be very angry about this and demand better from the telcos, it’s not enough to say ‘oh by the way your data was taken, we are sorry and are taking this very seriously’,” Sandvik told TechCrunch.
Sandvik said it’s more concerning for higher-risk individuals affected by the breach. “Some may consider changing their numbers and using a different provider, but it just really depends on the circumstances.” Higher risk individuals can also include those who have a reason to shield their identity, such as survivors of domestic abuse.
Sandvik also said that using encrypted chat apps — like Signal, which doesn’t hold the type of metadata AT&T just lost; and WhatsApp — could be better for security because these companies have a better track record of protecting user data.
Jake Williams, a cybersecurity expert and former NSA hacker, told TechCrunch that the risk is greater for businesses and intelligence targets following the AT&T breach.
“Threat actors can use this data to create patterns of life,” said Williams. “Call data records provide a wealth of value for intelligence analysts.”
Williams also said that it’s possible hackers can combine this data with that of data breaches, because “previous AT&T incidents mapped customer phone numbers to other identifying information, simplifying weaponization of the newly compromised data.”
Call and text metadata is traditionally information that can be valuable for intelligence agencies. Some of the documents leaked by former NSA contractor Edward Snowden more than a decade ago revealed that the U.S. National Security Agency was obtaining customer metadata from Verizon in bulk on an “ongoing, daily basis.”
The U.S. government has long defended this practice as an essential tool to fight against terrorism, and for the last decade successive administrations have been reluctant to give up this capability. A former intelligence officer, who asked to remain anonymous because they were not authorized to speak to the press, told TechCrunch that there is “a reason telcos are so often targeted by foreign services,” citing efforts to identify potential intelligence sources and assets.
“In short, this data is a gold mine for understanding who talks to who, which can for instance be used for developing human sources,” said Williams.