- AT&T on Friday reported a data breach that affected nearly all of its wireless customers
- In May, AT&T reportedly paid a hacker over $300,000 in ransom – a third of the $1 million that was originally sought
- Tied to AT&T’s hack and a prior data theft at T-Mobile is John Binns, an American hacker living in Turkey
Reaction to the massive data breach that AT&T revealed on Friday came fast and furious.
Security industry analysts blamed weak security controls around third-party data storage. Others argued that the data breach could have been “much slimmer” had the data been stored with blockchain technology.
Even AT&T’s foes in the fight over 4.9 GHz spectrum seized the day, saying it’s more evidence the spectrum should stay in the hands of state and local public safety users and not be transferred to AT&T’s network.
All of this came in response to AT&T’s revelation on Friday that hackers stole six months' worth of mobile phone customer data from 2022. The data did not include the content of calls or Social Security numbers, but it included the records of calls and texts of nearly all of its 110 million customers and the customers of MVNOs using its network.
The records identified the phone numbers with which AT&T customers interacted during the hacked period, including phone numbers of AT&T wireline customers and customers of other carriers. The data didn’t include customer names but anyone using publicly available online tools could easily find the name associated with a specific phone number.
In a press release Friday, AT&T said the customer data was illegally downloaded from its workspace on a third-party cloud platform. An AT&T spokesperson identified the third party as Snowflake.
Ransom report
AT&T didn’t say anything about paying a ransom to get the stolen customer information deleted, but Wired interviewed a hacker, identified as part of the ShinyHunters group, who said the operator paid a ransom in May.
ShinyHunters took credit for stealing data from a number of victims through unsecured Snowflake cloud storage accounts, according to Wired.
Although the hacker originally sought $1 million, AT&T talked them down to the equivalent of $373,646 in bitcoin, according to the publication. The money was then laundered through several cryptocurrency exchanges and wallets.
An AT&T spokesperson declined to comment to Fierce on the ransom report.
Ties to T-Mobile
In another twist, one of the same individuals involved in the AT&T breach is tied to a major data breach at T-Mobile that occurred in 2021.
In its disclosure last week, AT&T said it’s been working with law enforcement in efforts to arrest those involved and at least one person had been arrested.
According to The Desk, that person is John Binns, 24, who lives in Turkey and was originally connected to the theft of T-Mobile customer data three years ago. He’s one of several individuals believed to be involved in the AT&T hack and is not the hacker who received payment, according to Wired.
The FBI declined to comment Monday on the individual arrested in connection with AT&T’s data breach.
Binns told the Wall Street Journal in 2021 that T-Mobile’s lax security eased his path into accessing records with personal details on more than 50 million people.
Class action lawsuits
Wireless industry analyst Bill Ho of 556 Ventures said he doesn’t have a lot of insight into the cybersecurity world, but “human nature says that if someone is successful in breaching one telco, they might go on and try others” because some of the security procedures may share some commonality.
The FCC on Friday posted on X that it also has an ongoing investigation into the AT&T breach and is coordinating with law enforcement partners.
AT&T already is facing more than 30 class actions for a breach of about 73 million former and current customer records that was announced in March.
On Friday, a new class action suit was filed in the U.S. District Court for the Northern District of Texas accusing AT&T of not being sufficiently transparent about the nature and extent of data security lapses, according to Bloomberg. The complaint was filed by Florida resident Dina Winger, an AT&T customer for more than 15 years.
Third-party vendors called into question
After news of AT&T’s data breach, several entities in the cybersecurity industry and elsewhere reached out to Fierce offering comment. One of those was Jennifer Coates, a partner at the law firm Dorsey & Whitney, who previously served as assistant attorney general with the Office of the Minnesota Attorney General.
“The common thread in the cyber-protection world, this year, has been the role of third-party vendors,” she said, referring to AT&T's relationship with Snowflake, which is now facing scrutiny. “Businesses need to consider the risk profile of not ensuring cybersecurity requirements as part and parcel of each and every vendor contract.”
Wireless carriers increasingly are targets of hackers. That’s because they hold a lot of sensitive information about their customers who often are required to share personal information simply to set up an account, noted Cliff Steinhauer, director of Information Security and Engagement at the National Cybersecurity Alliance.
That makes them natural targets, and motivated attackers with nothing but time on their hands are going to pursue companies that have limited resources and time, he said.
In AT&T’s case, it appears the data breach was the result of a third-party cloud hosting provider that didn’t turn on multifactor authentication by default and users, including large organizations that should know better, didn’t turn it on themselves, he said.
Cybersecurity awareness month is celebrated every October and this marks its 20-year anniversary. Yet, “we routinely talk about the same things,” he said. “We’ve been talking about strong and unique passwords. We’ve been talking about multi-factor authentication, backing up your data, keeping your software updated. Every single year for 20 years, the advice has not changed.”
In this latest case, “I hope that they publish more details on what happens so that the rest of us can learn and maybe avoid the same mistake from happening,” Steinhauer said.