Breach taxonomy
Summary
Between April 14 and April 25, 2024, threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and exfiltrated call and text interaction records for nearly all AT&T wireless customers and MVNO customers using AT&T's network, covering periods from May 2022 through January 2023. The data included call/text metadata (telephone numbers, interaction counts, duration, and for some records cell site IDs) for approximately 110 million customers. The U.S. Department of Justice authorized a delay in public disclosure for national security reasons; at least one person was apprehended.
Tagging rationale
ThreatCyber Criminals
Filing states AT&T is working with law enforcement to arrest those involved and at least one person has been apprehended, indicating criminal actors; while the filing does not use the term cybercriminals explicitly, the arrest context strongly implies financially motivated criminal actors.
MethodsData ExfilSupply Chain
Filing confirms exfiltration of customer records from an AT&T workspace on a third-party cloud platform (Snowflake), making this both data exfiltration and a supply chain attack vector via the cloud provider.
AssetsPersonal Data
Filing discloses that call and text interaction records for nearly all AT&T wireless customers were exfiltrated — telephone metadata constituting sensitive personal data for ~110 million customers.
EffectsInfo Privacy Loss
Mass exfiltration of customer call/text metadata for nearly all wireless customers constitutes information privacy loss; no operational disruption was disclosed.
Impact
Call and text metadata for nearly all AT&T wireless customers (~110 million) was exfiltrated from a third-party platform; DOJ authorized disclosure delay for national security; one of the largest telecom data breaches in US history.
InsuranceNot disclosed
Filing makes no mention of insurance.
Read the original SEC filing excerpt
Item 1.05 Material Cybersecurity Incidents. On April 19, 2024, AT&T Inc. learned that a threat actor claimed to have unlawfully accessed and copied AT&T call logs. AT&T immediately activated its incident response process to investigate and retained external cybersecurity experts to assist. Based on its investigation, AT&T believes that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023. The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T's wireless customers and customers of mobile virtual network operators using AT&T's wireless network. These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number. AT&T has taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access. AT&T will provide notice to its current and former impacted customers. On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted. AT&T is now timely filing this report. AT&T is working with law enforcement in its efforts to arrest those involved in the incident.