AT&T Corp. disclosed today that a new data breach has exposed phone call and text message records for roughly 110 million people — nearly all of its customers. AT&T said it delayed disclosing the incident in response to “national security and public safety concerns,” noting that some of the records included data that could be used to determine where a call was made or text message sent. AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed). https://lnkd.in/eZeW-Ka5
Telling people their data was leaked isn’t the same as releasing it. Wouldn’t those affected be better equipped to understand the impact? Or is the real worry that announcing it makes bad actors rush to get a copy. Because if they were, that would certainly light up SIGINT.
CSPM, data classification->DSPM, address this. Why then are we still seeing “random bucket with high value information protected by nothing” in 2024? There are endemic cultural issues that require specialized training for developers that cannot be mixed in with other activities.. Development culture today does not, and cannot, prioritize secure practices over product release, unless the industry monetizes or penalizes that sufficiently. There is also a need for Toyota Camry level availability of cybersecurity solutions where currently many see these tools as an extra. They are not. The tools and the practices are a strategic imperative if you do not already know that you have total vision over your vulnerabilities, and where your data is going. Before any of that? You need to do the work to identify which of your data is sensitive and which is not, and track it wherever it moves. If you don’t, this will happen. If someone takes a shortcut and an intern has rights to copy the database, this will happen. You need ZT for that. You need granularity of access/actions between systems and dynamic levels of trust that measure risk.
Andy Garrett
3w
What was stolen is called MDT data. This is not only who called who, but also the signal strength measurements for up to 5 cell towers and the gps location of the phone. If you take mdt measurements without gps and correlate those to ones with gps you can assure the two phones are near each other and estimate location sometimes down to two square meters. This is problematic for AT&T as this will surely be used to show senators, congressmen and fbi agents movements. This will show covert operations to the location of reporters and can show you who their sources were based on location. A company that use to sell on this data is called Fog Data. They didn’t want anyone to know they were keeping this type of data for fear the ACLU will step in and give them trouble. They share this data with the National Domestic Communications Assistance Center and with the FBI. I bet the portal they speak about is a government portal. You may be asking why Minimization of Drive Test data? It’s the carriers dirty secret. To reduce the cost of network surveys and the cost to have the vans driving around all of the time measuring the network, they simply turned our phones into measuring devices that report into the network.
With this information, they can search for SMS based multi-factor authentication and have a list of customers to target for SIM swapping to gain access to banking or other impactful sites. If you're an AT&T customer using SMS multi-factor, now is the time to update to one of the big authenticator apps.
Tabice Ward
3w
Again, nail the basics folks! SMH
Note: they have also filed an 8-K in response to this data security event. https://otp.tools.investis.com/clients/us/atnt2/sec/sec-show.aspx?Type=html&FilingId=17677638&CIK=0000732717&Index=10000 "As of the date of this filing, this incident has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations." Ok. So why file? Were the updated SEC instructions last month unclear?
Matt Brandom
6h
What’s amazing is that AT&T is so far behind in IT modernization and digital transformation to even offer their consumers/customers MFA/2-FA to protect their accounts. If you are a internet-only customer then your account has ZERO security features available to enable…not even phishable SMS OTP. So, basically AT&T’s executive leadership refuses to make the necessary investments to protect their customers by offering basic platform security capabilities. There are multiple IDaaS providers and IAM vendors out there who offer customer identity platform solutions that could solve for this, but…alas AT&T has leadership who clearly prioritizes profits over consumer protection. If the Federal Communications Commission had any teeth they’d threaten AT&T to step up or pay up big time. David Brickhaus Richard Macias Chris Chmielewski
Why do companies often retain such data, I can’t think of regulatory, compliance, or operational needs other then for purposes they will not disclose. Extracting data at this volume in clear text remains a common issue due to insufficient security measures. Ideally, any significant data extraction should trigger alarms, but breaches persist due to inadequate monitoring and outdated security practices (hard outside, soft inside). Or the extraction is happening in real time. And if you pay for data transfer costs, I would think that alone would have made this stand out.
Dirk Praet
2w
" ... exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed)." If nothing else, an excellent use case for including any such instances in your local IT risk register, or poking both risk and digital product owner for those already in there.
Owner, Hacker Factor Solutions
3wDoes this also include the various resellers who use the AT&T network?