AT&T confirms arrest in data breach of more than 110 million customers

When confirming details of a massive data breach of about 110 million customers, AT&T on Friday also revealed that it became apparently the first enterprise to be given permission to initially keep breach details secret, and then was cleared to publish.

The incident itself — which AT&T said stemmed from a series of Snowflake attacks — revealed call data, but not the particulars of those calls. AT&T said that although the information stolen doesn’t reveal customer names, it pointed out that “there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”

AT&T spokesperson Jim Kimberly said in a phone interview with CSOonline that the stolen data, which was on a third-party workspace and spans the periods between approximately May 1 and October 31, 2022, as well as January 2, 2023, is not nearly at the detail level that, for example, customers are used to seeing in their AT&T phone bill. “Picture what is in your phone bill. (What was stolen) is not nearly that detailed,” Kimberly said. “It’s more like ‘this phone number contacted this phone number and were connected for this many minutes’.”

In the SEC filing, AT&T was more specific.

“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network,”  the SEC filing said. “These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included.”

Given that AT&T said that “nearly all” AT&T mobile customers were impacted, that raises the question of why the data of some customers was not impacted. Had those customers done something differently? When asked those questions. AT&T’s Kimberly did not have an answer.

AT&T reported that at least one person has been arrested in connection with the incident, but it referred questions about the arrest or arrests to the FBI, which did not respond to questions from CSO about that arrest.

Unlike in other major data breaches, AT&T said that — for now — it does not appear that the attackers have posted any of the information on the Dark Web or anywhere else. “As of the date of this filing, AT&T does not believe that the data is publicly available,” the company told the SEC.

An interesting element of this case is that it is apparently the first instance in which the FBI/Justice has given an enterprise permission to keep data breach details secret, and later gave permission to publish. 

Neither AT&T (in a phone interview) nor the FBI addressed why the breach was now permitted to be public. The suspect’s arrest may have played a role in the permission to disclose. But the FBI late on Friday told CSO Online that the decision to make the information initially secret was agreed to jointly.

“Shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident. In assessing the nature of the breach, all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety,” the FBI statement said. “AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”

The FBI statement added that it encourages enterprises to work with law enforcement as early as practical. “The FBI prioritizes assistance to victims of cyber-attacks, encourages organizations to establish a relationship with their local FBI field office in advance of a cyber incident, and to contact the FBI early in the event of breach.”

One scenario is that authorities did not want the suspect to know that they had discovered the AT&T breach. Although AT&T said that more suspects are at large, it’s possible that the first arrest would have alerted others to the AT&T situation, thereby removing the need for secrecy. AT&T and the FBI also did not say when Justice gave AT&T permission to disclose.

“On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted. AT&T is now timely filing this report,” AT&T said in its filing.

It also said that it had concluded that the incident was not material, but that it chose to disclose it anyway. “As of the date of this filing, this incident has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations.”

Jonathan Rudy, senior counsel for TransUnion, said that he found that declaration surprising.

“You lose almost your entire call center base for three months, and you don’t consider that material?” he asked in a CSOonline interview, adding that these were his personal opinions and not necessarily the views of his employer. “You could get a lot of good collateral goods out of this stuff.”

He observed that this appeared to be the first disclosure of a breach after Justice had given permission for secrecy.

Another unusual aspect of this filing is that it wasn’t signed by the usual SEC security incident executives, such as CFO, CIO or CISO. This AT&T SEC disclosure was signed by Stacey Maris, AT&T’s senior VP and chief privacy officer. This might signify that AT&T considered this massive incident mostly a privacy matter, rather than a security matter, possibly because of the third-party nature of the incident. 

“That is probably a good thing. They opted for the person who is closest to the problem” which would be privacy disclosures, Rudy said.