If you search the internet for news about the recent AT&T breach, you will be amazed at what is going on here.
SC Media first reported on July 12 that the wireless carrier had acknowledged that a data breach linked to third-party platform Snowflake included files containing AT&T call detail records (CDRs) for “almost all” of AT&T’s mobile phone customers, meaning more than 100 million users.
Between reports late Friday that the federal government had negotiated with AT&T to delay the SEC filing, and reports that AT&T had paid a ransom to delete the stolen data, there has been a lot of coverage on this incident, and much of it is very confusing.
Here are answers to some important questions.
Why did AT&T postpone its application until July 12th?
AT&T first learned of the breach in April, and its SEC filing is dated May 6, but the filing wasn’t made public until last Friday.
The FBI told SC Media that AT&T contacted the FBI to report the incident immediately after identifying the potential breach of customer data and before making a determination of its significance. In assessing the nature of the breach, the FBI said all parties involved discussed the possibility of delaying the public reporting under Item 1.05(c) of the SEC Rules due to potential risks to national security and/or public safety. AT&T, the FBI and the Department of Justice worked together throughout the first and second delay processes, sharing threat information to enhance the FBI’s investigation and assist AT&T in its incident response efforts.
An AT&T spokesman added that the company is cooperating with law enforcement in the ongoing investigation and that as part of that effort, it delayed the announcement to avoid prejudice to the investigation.
Why does late submission matter?
The filing delay is significant because it reportedly marks the first time that the Department of Justice has granted a waiver from the SEC’s new cybersecurity rules that went into effect last December, which require companies to report cybersecurity incidents within four days.
Is it true that AT&T paid the hackers $370,000 to delete the data?
We don’t know for sure. Both AT&T and the FBI have declined to comment on the reported ransom payment. News of the ransom payment was first reported by Wired on July 14, when AT&T allegedly paid the hackers $370,000 in Bitcoin to prevent the data from being leaked.
A researcher who uses the net name Reddington told Wired that he was contacted by hacker John Binns in April. Binns claims to have obtained millions of call records of AT&T customers from Snowflake. As some may remember, Binns was detained in Turkey for his alleged involvement in the 2021 T-Mobile data breach, and he may be the person AT&T referred to in its official statement on Friday. AT&T was supposed to send a $370,000 ransom to Binns, but after Binns was arrested in Turkey, they reportedly sent it to a member of ShinyHunters. Reddington, Binns and the ShinyHunters hackers reportedly stored AT&T’s complete database on a cloud server and deleted it after the company paid the ransom.
However, the hackers may have sent samples of the data to multiple people before it was eventually deleted.
If AT&T paid the ransom, was that a good move?
Zendata CEO Narayana Pappu said the ransom AT&T allegedly paid was well below the average of $2 million. Rather than creating an incentive for something like this to happen again, would not have been a better strategy to not pay the ransom?
Papp answered, “Yes.” But a company like AT&T has a variety of risks: operational, regulatory, and brand/reputational risk. Taking action to remove data and developing a mitigation plan are all part of brand/reputational risk management. For example, AT&T’s stock price has fallen more than 1% since the breach surfaced, and its market capitalization is about $130 million.
Why were intelligence agencies so concerned about stolen call detail records?
The FBI and intelligence analysts are concerned because CDRs are extremely valuable data. Agnidipta Sarkar, vice president and CISO advisory at ColorTokens, said CDRs can reveal where a person lives, who they frequently call, what they talk about, where they work, how they spend their free time, their political and religious beliefs, or typically private or sensitive conversations that need to be kept secret.
Sarkar said that if this fell into the wrong hands, the information could be misused – so is this a justification for paying hackers?
“Maybe,” Sarkar said, “but it depends on what we’re focusing on. Best practice says you shouldn’t pay, but there may be bigger issues to consider. Would the delay in disclosure have helped? It remains to be seen whether the authorities could have done anything with the additional time.”
Approov CEO Ted Milacco added that the metadata leaked in the AT&T breach is very similar in nature to data exposed by Edward Snowden, which detailed how the National Security Agency collected vast amounts of metadata from telecommunications companies, including AT&T.
Milacco said Snowden’s revelations concerned programs authorized under the Patriot Act and other laws, and that telecommunications companies are legally required to share data with the NSA and other agencies. AT&T’s data is highly valuable for surveillance and intelligence purposes because it allows agencies to track communication patterns and relationships between individuals and identify suspicious activity.
“If the leaked AT&T data was part of a government surveillance program or contained information that could compromise national security operations, the FBI would likely want to delay its release in order to manage the situation without causing widespread panic or alarming adversaries,” Milacco said. “Keeping the leak secret would allow the government to assess the damage and take appropriate measures without exposing its surveillance infrastructure.”
Milacco added that telecommunications companies like AT&T are high-value targets for nation states and terrorist groups. He said that if attackers were able to access a metadata repository that may be used by intelligence agencies, it suggests a high level of intent and capability typical of nation-state attackers, but that there are too many unanswered questions at this point.
