Massive Records Breach Affects AT&T and Carriers Which Use Its Network ⇥ techcrunch.com

Zack Whittaker, TechCrunch:

U.S. phone giant AT&T confirmed Friday it will begin notifying millions of consumers about a fresh data breach that allowed cybercriminals to steal the phone records of “nearly all” of its customers, a company spokesperson told TechCrunch.

In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages — such as who contacted who by phone or text — during a six-month period between May 1, 2022 and October 31, 2022.

AT&T said some of the stolen data includes more recent records from January 2, 2023 for a smaller but unspecified number of customers.

AT&T discovered this breach in April but waited until today to announce it. But if you believed this wholesale theft of metadata would shake confidence in the value of AT&T as a business, think again: the market is not punishing the company.

From AT&T’s SEC filing:

On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted. AT&T is now timely filing this report. AT&T is working with law enforcement in its efforts to arrest those involved in the incident. Based on information available to AT&T, it understands that at least one person has been apprehended. As of the date of this filing, AT&T does not believe that the data is publicly available.

Joseph Cox, 404 Media:

John Binns, a U.S. citizen who has been incarcerated in Turkey, is linked to the massive data breach of metadata belonging to nearly all of AT&T’s customers that the telecommunications giant announced on Friday, three sources independently told 404 Media.

The breach, in which hackers stole call and text records from a third-party cloud service provider used by AT&T, is one of the most significant in recent history, with the data showing what numbers AT&T customers interacted with across a several month period in 2022. 404 Media has also seen a subset of the data, giving greater insight into the highly sensitive nature of the stolen information.

Binns also took responsibility for breaching T-Mobile in 2021, for which he was recently arrested after being charged in 2022. It seems likely to me Binns is the Turkish-residing member alluded to by Google’s Mandiant in its report on UNC5537, the threat actor associated with breaching possibly 165 customers of the Snowflake platform.

AT&T and other giant corporations will continue to retain massive amounts of data with poor security because it is valuable for them to do so and they are barely punished when it all goes wrong. T-Mobile paid a $350 million penalty in 2022 while continuing to say it did nothing wrong. The same year, it made $61.3 billion. In 2022, U.S. median household income was $74,580. Proportionally, T-Mobile got a $425 ticket.

Update: The 404 Media post was not paywalled at the time of posting, but it was later restricted.