A cyber criminal is reportedly $550,000 ($US370,000) richer after US telecommunications giant AT&T allegedly paid them to delete a stolen copy of phone call and SMS logs of 110 million customers — but as the company revisits its security, experts argue the breach is “too big to ignore”.
Reports of a 5.7 Bitcoin payment sent to the hacker — said to be affiliated with the ShinyHunters group, which has been linked to the compromise of Australians’ data from Ticketmaster and Pizza Hut — were confirmed by WIRED, which reported the criminal had originally demanded $1.48 million ($US1 million) to delete the data.
AT&T revealed the data was “illegally downloaded from our workspace on a third-party cloud platform”, and exposed files containing records of all calls and texts made by AT&T mobile customers and landline customers who called mobile numbers between 1 May, 2022 and 31 October of that year.
Mobile virtual network operators using AT&T’s mobile network were also impacted.
The records do not contain the content of the text messages or details such as the time and date of the communications, but they do identify which numbers were called or texted.
It created the risk, AT&T admitted, that third parties could use publicly available reverse phone lookup services to “find the name associated with a specific telephone number”.
That, in turn, would allow an interested party to identify the people with whom a particular AT&T mobile customer has been communicating and the services they have called.
Such cross-matching could, for example, identify domestic violence victims or people with mental health concerned who have called support lines, women making enquiries with abortion service providers, or people conducting extramarital affairs.
Thomas Richards, principal security consultant within the Synopsys Software Integrity Group, noted that the information could be used “to piece together events and who may be calling who”.
“This could impact people’s private lives as private calls and connections could be exposed.
“The business phone numbers will be easy to identify and private numbers can be matched to names with public record searches.”
Despite reportedly paying the ransom to the cyber criminal in May, AT&T said in its recent statement that it had “taken steps to close off the illegal access point” and was “working with law enforcement in its efforts to arrest those involved in the incident”, with “at least” one person apprehended so far.
Telcos a flashpoint for consumer trust
The breach comes just months after another significant breach of AT&T’s data exposed personal information of 7.6 million current and 65.4 million former customers from 2019 and earlier, which was found on the dark web nearly three years after hackers claimed to have stolen it.
Cyber security expert Scott Schober called the latest breach “too big to ignore”, but added “the lack of private content might come as a relief to some”.
“But it simply serves as a reminder that our data privacy laws in the US are almost non-existent, non-regulated and have become just the cost of doing business.”
That cost increases dramatically when companies rely on third parties for functions such as billing — as AT&T was — and those third parties are compromised.
“When third party vendors aren’t vetted properly or audited regularly, security is always the first casualty,” Schober said.
In putting nearly half of US adults at risk, the two AT&T breaches highlight the ongoing challenges which organisations like banks and telecommunications companies face as ever-increasing volumes of personal and communications data make them targets for hackers.
A recent Cohesity survey of 300 Australian IT and security executives found 72 per cent of companies said they were victims of a ransomware attack in the second half of 2023, and 81 per cent admitted to having paid a ransom in the past two years even though nearly three quarters had formal ‘do not pay’ policies.
AT&T is already facing a flurry of class action lawsuits over the unlawful access to its data, while the Australian government is suing Optus over its 2022 breach and has imposed tighter restrictions on Telstra after its own leak in the same year.
