By Savannah Sicurella and J. Scott Trubey
Nearly all AT&T cellular customers have been impacted by a data breach involving call and text records, the communications company announced early Friday.
In what is the second major data breach AT&T has reported since late March, hackers accessed and copied AT&T call logs during a six-month period in 2022. The company believes the hackers extracted the files from an AT&T workspace on Snowflake, on a third-party cloud platform, in April.
AT&T has roughly 110 million customers, according to a spokesperson.
Here’s what customers should know about the most recent data breach:
What was stolen?
The phone call and text message records of AT&T cellular customers from May 1, 2022 to Oct. 31, 2022, and on Jan. 2, 2023. The records identify the numbers an AT&T customer called or received calls from or exchanged text messages with during that period, as well as counts of those calls or texts and total call durations for specific days or months. For some of the records, one or more cell site ID numbers associated with the interactions are included. Time stamps of the calls were not collected.
As a hypothetical example, the information would show that Phone A interacted with Phone B 10 times between the time period of the collected data, with their calls totaling 100 minutes.
How will I know if I was impacted?
AT&T said essentially all of its customers in periods of extracted data are affected. The company said it is contacting all accounts affected by the event through text, email or mail. Information from non-AT&T customers who interacted with AT&T customers during these times might also be swept up in this incursion, but it is unclear if they will also be notified.
What can metadata be used for?
Metadata or call logs are information about incoming and outgoing calls or text messages, but not the contents of those communications.
Metadata is often used by law enforcement in investigations and are typically only obtained via a subpoena. It can tell comprehensive stories about who people are, what they are doing and what their secrets are, cybersecurity researcher John Scott-Railton wrote in a post on social media platform X, formerly Twitter.
Investigators can use this data to investigate the connections between individuals and entities and establish patterns of communications. These connections can then be used as evidence to seek wiretaps or the contents of text messages.
But Vic Hartman, a retired FBI special agent who runs his own firm that helps businesses with internal investigations, said to make such metadata meaningful, it requires “software, analysts, time and expense to mine it for meaningful information.”
“The subscriber associated with a phone number can be identified,” he said. “Software can connect the dots of relationships between individuals to see how often, how long, and how many texts occurred.”
Can hackers use this information to obtain other information about me or steal other things?
Hartman said he can see potential harm, but this data is not typically sought to be exploited in such a way.
“The bad actor would have to find someone wanting the data, and from there the scheme would get more complicated,” Hartman said. “This could also have been the makings of a ransomware attack that had not yet fully matured.”
But Scott-Railton said the hack is very serious, offering a deep window into peoples lives.
“An unknown entity now has an NSA-level view into Americans’ lives,” he wrote on X. “Damage isn’t limited to AT&T customers. But everyone they interacted with.”
What can I do to protect myself?
AT&T said it does not believe the stolen data exists where it is publicly accessible. It is difficult to say what consumers need to do to protect themselves.
In March, AT&T revealed a hack of the personal information of millions of its customers, including sensitive information such as Social Security numbers.
Liz Coyle, the executive director of the consumer advocacy organization Georgia Watch, said with breaches such as the earlier AT&T hacking, customers should monitor credit reports and freeze their credit if possible. Customers should also change their passwords.
What do we know about who did this?
AT&T has not publicly released details about the hackers responsible for the incident. Between April 14 and April 25, some groupunlawfully accessed an AT&T workspace on a third-party cloud platform. AT&Tsaid it is working with law enforcement to arrest those involved. At least one person has been apprehended.
Hartman said the arrest is a good sign.
“The fact that someone has been arrested could mean that person is now cooperating (and) it’s a matter of time before we find out the motivation behind this,” Hartman said.
What is the dark web?
A part of the internet that is only accessible through special software or authorization. It is intentionally hidden, and protects users from surveillance and tracking. The dark web contains forums, websites and marketplaces where stolen material is often offered for sale.