AT&T data breach impacts 110 million customers

Key details

• Around 110 million AT&T customers are affected.
• Data stolen includes phone numbers, call and text records, and location data.
• The breach is tied to a broader attack on the Snowflake cloud platform.
• AT&T reportedly paid hackers approximately $370,000 in Bitcoin to delete stolen phone records.
• AT&T’s stock dropped by 0.3%, amounting to a $130 million loss in market cap.
• Authorities have apprehended at least one individual in connection with the breach.

Understanding the Snowflake connection: cloud data vulnerabilities exposed

AT&T discovered the breach when a security researcher notified the company about compromised call logs obtained through Snowflake’s insecure cloud storage. After verifying the data’s authenticity, AT&T reportedly engaged Google-owned cybersecurity firm Mandiant for further investigation and disclosed the breach to the SEC.

The AT&T breach is part of a wider supply chain attack involving Snowflake, a major cloud data analysis player whose platform serves tech giants such as Adobe, Canva, and Mastercard.

Other known affected customers include large companies such as Ticketmaster, Santander Bank, Advance Auto Parts, and Neiman Marcus, signalling significant vulnerabilities in its cloud data systems.

The primary suspect behind the data theft allegedly accessed the information through insecure cloud storage and was reportedly arrested in May for unrelated charges related to a previous breach involving T-Mobile. Although AT&T claims the data has been erased from the hackers’ possession, concerns remain about potential copies of the dataset circulating among other parties.

Scope of the AT&T breach: what was compromised

Data stolen in the AT&T breach includes:

• Phone numbers for both cellular and landline users
• Records of calls and texts
• Details of interactions between phone numbers
• Total counts of calls and texts
• Call durations
• Cell site IDs that can pinpoint approximate call locations

The compromised data spans from May to October 2022, with a smaller group of data extending to January 2023. AT&T confirmed that, unlike its previous breach that exposed the sensitive data of 73 million AT&T customers earlier this year, the Snowflake breach did not include call or text contents, names, credit card data, or Social Security numbers.

AT&T breach: financial impact

AT&T reportedly paid hackers approximately $370,000 in Bitcoin to delete stolen phone records, which included call and text metadata of millions of customers. The hackers, affiliated with the ShinyHunters group, were reportedly approached by AT&T after learning of the breach from a security researcher acting as an intermediary.

In the days following the breach, AT&T’s stock fell by 0.3% to $18.80, reflecting a $130 million drop in market cap. Before the hacking disclosure, AT&T stock had been up 12% in 2024.

Implications for finance leaders: lessons from the AT&T breach

For CFOs and finance managers, this incident underscores several key points:

• Cloud risks: The breach highlights the risk of storing sensitive data in cloud systems.
• Third-party oversight: It emphasises the need to vet third-party providers and understand their security protocols.
• Fraud detection: Finance departments need effective controls for spotting unusual activities and preventing fraud.
• Incident response: Organisations must have robust plans to manage breaches and maintain stakeholder trust.
• Financial security: The stock drop shows how breaches can impact financial stability, highlighting cybersecurity as a key financial risk.

Looking ahead: strengthening cybersecurity in finance

As investigations into AT&T’s breach continue, finance leaders must remain vigilant as scam risks heighten following a significant data breach. This latest incident serves as a reminder of cybersecurity’s crucial role in the digital finance world. Moving forward, finance professionals should:

• Conduct regular data analytics to detect fraud and security risks.
• Invest in software to verify supplier details and bank accounts.
• Centralise data for comprehensive review processes.
• Allocate resources to cybersecurity measures and training.

Learning from such incidents will help finance leaders protect their organisations from evolving cyber threats.