AT&T Data Breach: Understanding the Fallout
As an AT&T customer, I did receive the unwelcome news that they suffered a data breach.
Here is a rundown for what you should to know.
BREACH DETAILS
- This is a sizable data breach of about 109 million customers
- Call and text interactions from May 1, 2022 to October 31, 2022
- AT&T is blaming a 3rd party cloud platform – Snowflake
- FBI Investigating and 1 arrest has been made
- Hackers accessed and exfiltrated the files sometime from April 14th to 25th
- Telephone numbers and phone logs were acquired, but AT&T says call and text message content wasn't exposed.
The breach does not contain customers' personal information, like birthdays or social security numbers.
Apparently, AT&T Paid the ransom - which is not smart. Wired magazine reported that AT&T paid the hackers over $300,000 to delete the stolen information and provide video proof.
OVERALL RISK
Given that personal information was not exposed, the risk is nominal.
So far there is not conclusive proof that the data has been released in the wild, but that could change
Expect more phishing attacks
There could be some ramifications for those who need to keep their call logs secret - undercover agents, supreme court justices, cheating spouses, etc.
The geolocation data, which identifies the cellular towers that phones were connected to during activities, is interesting but likely not too valuable to attackers
SEC rules for mandatory shareholder notification were followed, with the US Government granting 2 delays to AT&T. Normally it is a 4 day rule.
AT&T has not deemed this breach a material event to its shareholders.
Overall, the scale of this breach is unfortunate, but the sensitivity of the data in not too worrying for the vast majority of those effected.
However, this breach does show an unfavorable trend in AT&T’s security posture.
ISSUES and RECOMMENDATIONS
AT&T, "Protecting customer data is a top priority. " is not true. This is the second major breach in just 3 months, with 70 million customer's affected back in April.
So, let’s talk about what I expect as a cybersecurity professional:
- First, protect your data better! Use MFA, encrypt at rest, clean up the access permissions, institute data blocking for exfiltration
- Second, remove all sensitive PII data you really don't need. Why do you need my SSN, actual date of birth, the tower I most use during the day or evening, even my home address is questionable for my mobile phone and I pay electronically. Remove these. And if it is required by dated regulations, then drive the charge to have those regulations updated so all the telecommunications vendors aren't a weak point for data harvesters.
- Third, implement a data destruction policy to destroy old customer data. Do you really need to keep call logs of people dating back 2 years? I would argue there is likely a mound of data you want to have, but don't actually need to have. Clean that up, lighten your servers, and focus on keeping your network up.
FALLOUT
AT&T is getting proficient at handling major data breaches, which is not really a compliment.
I hope its big competitors lean-in and invest in cybersecurity to showcase how they can protect their customers, thus leveraging security as a competitive advantage for consumers to choose a communications provider that really is making customer data protections a top priority!
AT&T, I will be considering how you protect my data when my contract is up and I look at other providers!
Follow me on LinkedIn: https://www.linkedin.com/in/matthewrosenquist/
Follow for more Cybersecurity Insights: https://www.youtube.com/CybersecurityInsights