Description

AT&T announced on July 12, 2024, that it had been a victim of a data breach. The company learned of the breach in April but delayed disclosing it at the request of federal investigators. The attack is attributed to unauthorized access to an AT&T workspace on a third-party cloud platform. Snowflake is a well-known data warehousing and data engineering platform that caters to companies dealing with data, helping them organize and manage information.

This is the second major data breach announced by AT&T within a three-month period. The former breach, which took place in March 2024, exposed personal information of about 73 million customers, including names, email addresses, birth dates, and Social Security numbers (SSNs).

Unlike the previous attack, the most recent breach did not include personal identifiable information (PII). Instead, it compromised metadata. Metadata is information that describes other data. The compromised data includes phone numbers and counts of calls or texts placed by nearly all AT&T mobile customers between May 1, 2022, and October 31, 2022, as well as on January 2, 2023. The information also included data about the location of cellular communications towers for some customers. AT&T insists that the actual content of calls or texts was not accessed. However, the concern is that the databases from the two data breaches could potentially be correlated, with names matched to phone numbers, possibly allowing for the piecing together of subscribers’ whereabouts and actions. AT&T reported implementing enhanced security protocols in response to the breach, which included sealing the vulnerability that allowed unauthorized entry into their systems.

Fallout and Legal Consequences

AT&T has faced significant repercussions following the data breach. According to Wired Magazine, AT&T paid a ransom of $373,646 to a cybercriminal organization called ShinyHunters, who notified them they were in possession of the data. The transaction was conducted on May 17 in exchange for deleting stolen data. A class action suit has since been filed against AT&T, alleging negligence in protecting customer data and failure to implement industry-standard security measures, such as multifactor authentication, on the third-party cloud platform Snowflake. The Plaintiff also claims AT&T has not been transparent about the extent of its data security lapses. In addition to the suit, Senators Richard Blumenthal of Connecticut and Josh Hawley of Missouri have written a letter to AT&T demanding more information about the breach.

Prevention

In this case, the breach is being directly attributed to a lack of multifactor authentication (MFA). Multi-factor authentication (MFA) works by requiring users to provide two or more verification factors to gain access to an account or system. After the user enters their user credentials for the initial login, the system then prompts the user for one or more additional authentication factors. Some popular forms of secondary authentication include:

  • Entering a one-time password (OTP) or PIN sent by SMS or email
  • Using an authenticator app to generate a code
  • Using a physical token or key such as inserting a FIDO key into a laptop
  • Providing biometric data such as a fingerprint or facial recognition

Even if hackers might manage to steal or guess passwords, MFA provides an additional barrier. Without the second (or third) factor of authentication, attackers cannot gain access to the system. Many cloud providers offer MFA as an option, but customers or users sometimes fail to implement it. Many regulatory frameworks and cyber insurance providers now require MFA implementation. With the increasing vulnerability of passwords to compromise, MFA should no longer be viewed as optional, but as a mandatory security measure for all sensitive systems and accounts.