Skip to main content
close search
site logo
Dive Brief

Massive Snowflake-linked attack exposes data on nearly 110M AT&T customers

Attackers breached AT&T’s Snowflake environment for 11 days in April, and stole customers’ call and text message records spanning a six-month period from 2022.

Published July 12, 2024
Matt Kapko's headshot
Senior Reporter
A man walks with an umbrella in front of AT&T logo.
A man walks with an umbrella outside of AT&T corporate headquarters on March 13, 2020, in Dallas, Texas. AT&T disclosed a cyberattack in a filing with the Securities and Exchange Commission on July 12, 2024. Ronald Martinez via Getty Images

Dive Brief:

  • A cyberattack targeting AT&T’s Snowflake environment compromised data on nearly all of the telecom provider’s wireless customers, the company said in a Friday filing with the Securities and Exchange Commission. Nearly 110 million customers are impacted, according to AT&T’s annual report for the period of compromised data.
  • Data stolen during the intrusion includes records of AT&T customers’ calls and text messages spanning a six-month period ending Oct. 31, 2022, and records from Jan. 2, 2023, the company said in the SEC filing. 
  • The attack did not expose the content of calls or text messages, customer names or personally identifiable information, according to AT&T. Yet, the stolen records include the phone numbers AT&T wireless customers interacted with, counts of those interactions and aggregate call duration for a day or month.

Dive Insight:

AT&T is one of at least 100 companies impacted by a wave of attacks targeting Snowflake customer environments. AT&T spokesperson Andrea Huguely told Cybersecurity Dive the customer data was stolen from the carrier’s Snowflake database.

The attacks targeting Snowflake customers were not caused by a vulnerability, misconfiguration or breach of Snowflake’s systems, Mandiant said last month in a threat intelligence report.

Stolen credentials obtained from multiple infostealer malware infections on non-Snowflake owned systems were the point of entry for the attacks, Mandiant said. Impacted customer accounts were not configured with multifactor authentication.

AT&T said it became aware of the attack and theft of AT&T call logs on April 19, and immediately activated its incident response process with the aid of third-party cybersecurity experts.

Attackers accessed AT&T’s Snowflake environment between April 14 and April 25, the wireless network provider said.

“AT&T has taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access,” the company said in the SEC filing. “AT&T will provide notice to its current and former impacted customers.”

The telecom giant delayed filing a cybersecurity incident disclosure with the SEC after the FBI and Justice Department granted delays on May 9 and June 5 due to potential risks to national security and public safety, according to the SEC filing. The FBI fields and investigates disclosure delay requests before referring decisions to the DOJ.

“AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work,” a spokesperson for the FBI said via email.

AT&T said it’s working with law enforcement in an ongoing investigation. “Based on information available to AT&T, it understands that at least one person has been apprehended,” the company said in the SEC filing. “As of the date of the filing, AT&T does not believe that the data is publicly available.”

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell