AT&T, one of many largest and oldest telecoms and cellular community operators in america, has misplaced management of the cellphone information of just about all of its prospects regarding a six-month interval in 2022, amid a still-expanding collection of breaches affecting prospects of cloud information specialist Snowflake.
In a submitting with the Securities and Trade Fee (SEC), the agency mentioned it first discovered of the incident on 19 April 2024, when a menace actor claimed to have accessed and copied its name logs. It activated its cyber incident response course of at the moment in response.
In its SEC assertion, AT&T mentioned: “Primarily based on its investigation, AT&T believes that menace actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between 14 April and 25 April 2024, exfiltrated information containing AT&T information of buyer name and textual content interactions that occurred between roughly 1 Might and 31 October, 2022, in addition to on 2 January, 2023.
“The information doesn’t comprise the content material of calls or texts, private data akin to social safety numbers, dates of beginning, or different personally identifiable data,” mentioned the organisation.
“Present evaluation signifies that the info contains, for these durations of time, information of calls and texts of practically all of AT&T’s wi-fi prospects and prospects of cellular digital community operators (MVNOs) utilizing AT&T’s wi-fi community. These information establish the phone numbers with which an AT&T or MVNO wi-fi quantity interacted throughout these durations, together with phone numbers of AT&T wireline prospects and prospects of different carriers, counts of these interactions, and mixture name period for a day or month.
“For a subset of information, a number of cell web site identification quantity(s) are additionally included. Whereas the info doesn’t embody buyer names, there are sometimes methods, utilizing publicly accessible on-line instruments, to search out the title related to a particular phone quantity,” it mentioned.
The telco’s prospects can study extra concerning the incident and the steps that they need to now take to guard themselves from the potential for follow-on assaults, by navigating its assist homepage. Affected prospects are within the strategy of being contacted.
“The breach towards AT&T is big and will definitely fear any buyer whose information has been leaked. Prospects ought to train excessive warning and be looking out for any potential phishing assaults or different forms of fraud. With the kind of information stolen, SMS phishing may very well be notably prevalent,” mentioned Rapid7 senior director of menace analytics, Christiaan Beek.
The Snowflake connection
Chatting with DailyTech, AT&T spokesperson Angela Huguely confirmed that the incident arose when the telco’s Snowflake setting was accessed by cyber criminals.
AT&T now joins a rising listing – thought to quantity over 160 – of Snowflake prospects to have been breached not too long ago, seemingly by a financially-motivated cyber prison group tracked by investigators at Mandiant as UNC5537. This listing most prominently contains companies akin to Ticketmaster and Santander.
Snowflake’s investigation has pinned these breaches to a scarcity of safety hygiene on the victims – analysts have discovered proof of infostealing malware secreted on third-party contractor techniques used to entry the compromised companies’ IT techniques. AT&T has not addressed this level or supplied any data on whether or not or not this was the case in its incident.
“An organisation is simply as safe as its weakest third-party community, and safety protocols are solely efficient if all of their third-party suppliers are equally safe,” mentioned Rapid7’s Beek.
“Cyber criminals are conscious of this and can try to breach the weakest hyperlink within the chain to realize entry to techniques and steal extremely delicate information. The sheer quantity of non-public data saved means it’s much more essential that provide chains are secured.”
Beek added, “To guard provide chains, organisations ought to keep an excellent customary of cyber hygiene, together with the enforcement of multi-factor authentication (MFA). Moreover, community perimeter units are major targets for attackers; due to this fact, essential vulnerabilities in these applied sciences should be remediated instantly.”
Confusion abounds
Nevertheless, there was confusion over the exact nature of the Snowflake-related breaches due to a gaggle going by the title ShinyHunters – additionally the operator of the not too long ago disrupted BreachForums information leak “service” – which has repeatedly claimed it was behind the incidents and that it did hack Snowflake’s techniques.
In mid-June, a consultant of the ShinyHunters collective claimed by way of an interview with Wired that it accessed Snowflake’s prospects via a breach of Belarus-based contractor EPAM. As in all cases the place menace actors converse publicly, these claims needs to be handled with excessive scepticism, and EPAM has itself refuted ShinyHunters’ claims, saying it had been focused in a misinformation marketing campaign.
The true nature of the continuing incidents will seemingly solely turn into clear sooner or later following a number of parallel investigations.
MFA by default
Earlier this week, Snowflake enacted a serious coverage change designed to assist prospects keep the safety of their environments when it beefed up its MFA providing.
The improved insurance policies are primarily based on three pillars: immediate, encouraging customers to undertake MFA; implement, permitting directors to allow MFA by default; and monitor, checking which customers haven’t arrange MFA.
Going ahead, particular person Snowflake customers might be prompted to allow MFA and walked via the method. Whereas they may have the ability to dismiss the immediate, it’ll reappear after 72 hours if no motion is taken.
Admins, in the meantime, will have the ability to benefit from a brand new choice that requires MFA for all customers in an account, the scope of which might be utilized to native customers solely, or to incorporate single sign-on customers as nicely.
Lastly, Snowflake has made a scanning package deal accessible to search for MFA and community coverage compliance by default and freed from cost in all editions.
Javvad Malik, lead safety consciousness advocate at KnowBe4, mentioned: “It is good to listen to that Snowflake is enabling MFA by default. From an account safety perspective, MFA might be one of many single handiest controls to have in place. Given all of the assaults towards accounts, together with credential stuffing – extra organisations ought to allow MFA by default.”
