AT&T data breach: what happened and what it means for you

On Friday, July 12, 2024, AT&T disclosed a massive data breach affecting "nearly all" AT&T wireless customers (including customers of third-party mobile virtual network operators (MVNO) such as Cricket, Straight Talk, and Consumer Cellular). The breach occurred between May 1 and October 31, 2022, with a smaller breach on January 2, 2023.

What data was compromised?

As reported in a filing with the Securities and Exchange Commission and on AT&T's website, the records identifying customer phone numbers and the phone numbers with which those phones interacted (either calls or text messages) were compromised, as well as, for a limited number of the records, one or more cell site identification number(s) (i.e., location) associated with those interactions. According to AT&T no other data – not the content of messages nor any other personal information – was exposed.

How can I find out if my information was accessed?

If you were an AT&T (or applicable mobile virtual network operator (MVNO)) customer during the relevant periods, it is apparently almost certain that your data was accessed. AT&T has said they will be providing notices to all impacted individuals by email, text or U.S. mail.  

Who did this/who has the data?

According to AT&T's July 12 filing, at least one unnamed person has been apprehended, and AT&T believes that the data is not yet publicly available.

How did this happen?

Though we do not yet know the details of how this occurred, it is notable that this breach – even though it is "AT&T's" breach – did not happen on any AT&T systems but on a "third-party cloud platform" identified in the media as Snowflake.  Snowflake has also been in the news recently as the result of a cyberattack that impacted upwards of 160 of its customers, including LendingTree, Advance Auto Parts, LiveNation and Santander Bank.

Are my text messages safe?

As noted, AT&T has said that the content of text messages was not exposed, but it is important to note that even absent this breach, text messaging is generally not secure.  Standard SMS messages are not end-to-end encrypted and can be intercepted, and – in addition to the messages being readable on the recipient's device (which is likely set to have messages visibly pop-up even when the device is locked) – the messages can be read by the carriers (though they are not legally permitted to do so without a court order) or by threat actors who have access to their systems. For secure messaging, both parties need to be using a messaging app that includes encryption (e.g., iMessages between devices with iMessage installed (which generally appear in blue) are subject to Apple's end-to-end encryption; but if one of the devices doesn't have iMessage, the content is sent via standard SMS protocol (will generally appear in green) and is not encrypted). 

How could the data be used?

While the data itself doesn't identify any individuals, if the data does become available to the public or threat actors, phone numbers can be relatively-easily associated with individuals or companies using widely available information.  That could be used to identify who is communicating with whom and when combined with location information, it could also indicate places visited or specific patterns of behavior, and help paint a detailed picture of a person's life and relationships. The most likely beneficiaries of this type of data are state actors and organized cybercriminals, who have the computing resources and can use the information as part of their social engineering attacks, to harm national security, and other malicious purposes.

Key takeaways 

As is always the case with a data breach, once the data has been accessed by a malicious actor or made available online, that genie can't be put back in the bottle. What you can do is try to mitigate potential harm based on the data that was likely exposed and take steps going forward to protect your data and digital life from further compromise.  

1. Consider your communications:
Consider what communications (calls or texts) you may have had during the relevant period where having just your phone number and the other party's (or parties') numbers (and thus names) – as well as device location information – could be damaging if correlated.  While there is no reported evidence of this having happened, it is a likely scenario in the future.      

2. Remain vigilant:
High net worth individuals, executives, founders, family offices and small businesses and financial firms have become favorite targets for a number of threat actors – both cybercriminals out for quick financial gain and state actors – since there is often a much less-protected trove of data, which can be used for direct financial gain or to obtain a payout or leverage by threatening its release. It is important for everyone – particularly those who could be valuable targets – to remain vigilant for potential online threats, scams, and attacks. 

3. Enhance security:
         - Use encrypted communications for any sensitive information, whether email or messaging.

         - Enable multi-factor authentication on all key accounts and systems.

         - Ensure passwords are unique, long, and complex to avoid credential stuffing and similar attacks. 

          - Protect personal devices and home networks, and use a VPN when appropriate. 

4. Review service providers:
If you are involved in a family office, small business, or financial firm, review your service providers' security and contractual terms.  As with AT&T's use of Snowflake, vendors (and their security) are often the weak links, and many "standard" vendor contracts do not contain appropriate protections or require the customer to take specific actions (or pay for upgraded security) in order to get appropriate protection. Even "non-negotiable" terms in vendor contracts can generally be revised to require better protection (or it may be time to consider other vendors). 

While there is no such thing as perfect security, these and other steps can reduce your exposure. If you have any questions about any of the above or for an introduction to consultants who focus on cybersecurity for individuals and small firms, please reach out to Doron Goldstein, US Head of our Data Innovation, Privacy and Cybersecurity Practice or your Withers relationship partner.