The hackers responsible for the April 2024 attack on AT&T made off with a massive amount of user data. According to reports, the breach netted six months of call and text messages from virtually every AT&T cellular network customer, which is estimated to include 109 million customers using 127 million devices.
While the scale of the breach is alarming, it is not the only factor that deserves close consideration. The circumstances that facilitated the security failure, as well as the way AT&T and government officials responded, provide insights for those who rely on cybersecurity measures to keep their data secure.
The role of third-party vulnerability in the AT&T hack
The Crowdstrike failure that led to global computer outages in July 2024 highlighted the dangers of trusting third-party providers to provide security services. The AT&T failure shines a spotlight on a different type of third-party vulnerability.
“The data involved in the AT&T hack wasn’t exfiltrated from AT&T directly, but from a third-party cloud platform,” explains Dev Nag, Founder and CEO of QueryPal. “That element of the breach underscores the critical importance of robust data lineage practices.”
Nag is an experienced technology professional who has worked as a Senior Engineer at Google and as Manager of Business Operations Strategy at PayPal. He launched QueryPal to revolutionize customer experience by providing an AI-powered solution for automating ticket responses in high-volume environments.
The AT&T hack highlights the complex nature of today’s data-storage landscape. Companies that amass staggering amounts of data often turn to third-party providers for storage. That approach becomes complicated as storage providers offload growing demands to other companies. As a result, it is often difficult to determine exactly which company is responsible for security.
“It’s no longer enough to vet your immediate vendors,” Nag warns. “You must understand the entire data ecosystem, including subprocessors and their security measures.”
The AT&T hack also raises questions about how much is too much when it comes to the backlog of user data companies store. Some experts believe the more data a company stores, the more attractive it becomes to hackers.
“This breach forces us to reevaluate data retention policies,” Nag says. “Do we really need to store such sensitive data on third-party platforms for extended periods — nearly a year in this case — essentially creating a honeypot for attackers?”
The potential ripple effect of the AT&T hack
When the details of the hack began to emerge, AT&T announced in a press release that the data did not contain “the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information.” While that is good news, it doesn’t mean the data obtained isn’t valuable to hackers.
“The data gives hackers a much better picture of their targets, allowing them to mount better quality attacks,” explains Ashley Manraj, Chief Technology Officer at Pvotal Technologies. “For example, they can use the data to know what doctors people interacted with or what services they registered for. They may not be able to harm you directly with the data, but they can use it to learn more about you.”
Manraj is a seasoned security auditor who has spent more than a decade evaluating systems to identify cybersecurity vulnerabilities. The solutions Pvotal provides support enterprise infrastructures that allow growth and agility to go hand-in-hand with security.
The AT&T press release validates Manraj’s concerns, stating: “While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”
The implications of the delayed disclosure of the AT&T hack
When a security breach occurs, best practices demand that those affected be informed as soon as possible. Customers may need to take a variety of steps to respond to a breach, such as changing passwords or canceling credit cards. Knowing about the breach can also help customers be prepared for scams the data could fuel.
However, reports of the AT&T attack took months to surface, and AT&T attributed the delay to the US Department of Justice.
“The DOJ’s approval to delay disclosure, citing national security or public safety concerns, is highly unusual,” Nag says. “The public involvement of the DOJ and FBI, rather than agencies like the CIA, suggests this might be linked to an ongoing domestic criminal investigation, rather than nation-state hackers. This could indicate an active effort to track the attackers while they continue their operations, potentially uncovering a larger criminal network.”
While the delay is unusual, as Nag points out, it should put companies and consumers on alert that it is always possible. Delays that serve a higher purpose may be required, even when they have the potential to cause more damage to those whose data was affected.
“The factors in play with the AT&T hack highlight the rapidly evolving complexity of telecom cybersecurity, where data management and law enforcement considerations are becoming as crucial as traditional network security measures,” Nag says.
The AT&T hack reminds us that cyber threats are constantly evolving. Every new breach has implications that companies and consumers must consider if they are to keep their data secure.