Records of the calls and texts from virtually all AT&T customers fell into the wrong hands, the telecom giant revealed last week, touching off a regulatory investigation and a barrage of questions.
Whether you’re an AT&T customer or not, here are three things to know about the breach:
Metadata matters
Unlike the massive AT&T data breach incident that became public in the spring and included millions of customers’ Social Security numbers, the main information compromised in this leak is call and text records. This includes what numbers communicated with each other and with what frequency, but it does not include specific timestamps for those interactions, AT&T spokesperson Alex Byers told Tech Brew in an email.
He also confirmed that the latest trove doesn’t include “the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information.”
While the incident could be easy to brush off, it’s worth noting that phone numbers are generally included in the list of personally identifiable information that companies have a responsibility to safeguard. The Federal Communications Commission said in a post on X that it has “an ongoing investigation into the AT&T breach” and is coordinating with law enforcement.
Davi Ottenheimer, VP of digital trust and ethics for data startup Inrupt, told Tech Brew that metadata can allow bad actors to piece together intimate details of a customer’s life.
“You don’t know who someone is calling when you see a number, but if you look up the number you find it’s in a doctor’s office. And if you look up the doctor’s office, you find out that it’s a cancer specialist,” he said. “A simple number can turn into a whole lot of information about someone. It’s not so simple as ‘two numbers called each other.’”
At this point, AT&T said, it doesn’t believe the information is publicly available. As Wired reported, the company became aware of the exposed information and allegedly “paid a member of [a] hacking team more than $300,000 to delete the data and provide a video demonstrating proof of deletion” in May.
Corporate responsibility
The security breakdown resulted from hackers gaining access to "a cloud service owned by Snowflake," CNBC reported, highlighting how important it is for both companies and third-party vendors to take steps to prevent such breaches from occurring.
As Bloomberg reported, software vendor Snowflake already put more than 150 of its enterprise customers on notice that hackers had targeted its clients, including Ticketmaster, LendingTree, and Santander—and AT&T appears to be one of the latest victims.
Keep up with the innovative tech transforming business
Tech Brew keeps business leaders up-to-date on the latest innovations, automation advances, policy shifts, and more, so they can make informed decisions about tech.
Snowflake CISO Brad Jones said the company has “not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” according to a statement shared with Tech Brew by Snowflake spokesperson Danica Stanczak.
Still, Ottenheimer criticized Snowflake for taking an approach that he said shifts the burden of data protection onto its customers.
“You can’t push a certain amount of responsibility on people when they’re going to make a decision that’s wrong. If that hurts them, you have an obligation, a moral engineering obligation, to make it difficult for people to do the wrong thing,” he said.
That street goes both ways, though, according to Aaron Walton, threat intel analyst at security firm Expel.
“You kind of hope someone as big as AT&T is going to be able to secure their stuff. And that’s part of the reason that we choose who we do business with: We trust that they’re big enough, and that they’re watching the security enough that we don’t need to cover ourselves on their behalf,” he said.
Personal precautions
While it might be ideal to implicitly trust big companies with personal data, there are a couple things individuals can do to protect themselves.
First, consider turning on multi-factor authentication (MFA) across devices and accounts. Walton noted that Snowflake didn’t force clients to implement the security measure. This meant that when a hacker gained control of account credentials, they met no resistance.
“There wasn’t anything like an SMS message or anything else that said, ‘Hey, is this really you logging in?’” Walton said. “More or less, once you have the credentials, you’re able to log in.”
He added that Snowflake “just recently made it so that administrators can force all the accounts to require MFA,” and it plans to require MFA for newly made individual accounts in the future.
In some cases, AT&T said the leaked metadata includes “one or more cell site identification number(s) associated with the interactions are also included.”
Because such details can ultimately point back to a user’s location, privacy-savvy consumers might also want to consider maintaining a separate phone line for business or for sensitive conversations, Walton said. However, he acknowledged that not all consumers have the means or the know-how to do so, which comes back to corporate responsibility.
“That level of difficulty and doing all those steps isn’t for everyone,” Walton said.