Identity, Cloud Security, Breach
Why the AT&T breach matters – and how to respond

Today’s columnist, Jake Williams of IANS Research, offers five tips for security teams following the recent AT&T breach. (Adobe Stock)
In the latest major cybersecurity incident, AT&T has revealed a significant data breach affecting nearly all its wireless customers. The breach, which involves call data records (CDRs) from May 1, 2022, to Oct. 31, 2022, and a limited set from Jan. 2, 2023, has far-reaching implications for both individuals and organizations. The compromised data includes source and destination numbers, and for some, cell site information that can offer a rough geolocation of the AT&T customer.The stolen CDRs are a gold mine for intelligence analysis, allowing threat actors to understand networks by identifying who’s communicating with whom and when. Even without direct identification data, the analysis of communication patterns can reveal sensitive relationships and operational details. This breach highlights the importance of protecting metadata, as it’s almost as valuable as the content of the communications themselves.AT&T’s case also triggers a complex set of regulatory and notification challenges. While it’s clear that phone numbers are protected under many privacy frameworks, including GDPR, AT&T claims that the only international call records affected were those from Canada. This limits the immediate GDPR implications, but does not eliminate the need for scrutiny. Businesses using AT&T wireless to communicate with customers must consider their notification requirements. It remains to be seen if AT&T will handle breach notifications on behalf of affected customers, a process that could become complicated by the need to identify victims outside of AT&T's direct customer base.Companies that don’t have AT&T accounts are still at risk: Even if the company isn’t an AT&T customer, it may still have some exposure if it works with an MVNO that piggybacks on AT&T’s network. Expect lateral movement: Threat actors might use this data (if publicly exposed) to connect an organization to other organizations. This may create new risks if the company has been trying to keep those associations out of the public view. Move off SMS-based MFA: Threat actors might use this data to understand who’s using SMS-based MFA. In some cases, they might use this to determine which services are in use. To the extent we still rely on SMS-based MFA, we should consider migrating those apps ASAP. This case will have a long tail: We may have our own breach notification requirements coming from this breach of AT&T’s data. Don’t underestimate the bad guys: This compromise demonstrates yet again how threat actors may combine data from previous incidents to exacerbate impacts. Previous AT&T incidents mapped customer phone numbers to other identifying information, simplifying the weaponization of the newly-compromised data. I consider the AT&T data breach a critical incident with extensive implications. It reinforces the need for robust security measures and the importance of protecting metadata. Organizations must take proactive steps to mitigate their exposure, ensure compliance with regulatory requirements, and enhance their overall security posture. As we navigate the fallout from this breach, it’s clear that cybersecurity must remain a top priority for both individual users and organizations.Jake Williams, former NSA hacker, faculty, IANS Research
An In-Depth Guide to Identity
Get essential knowledge and practical strategies to fortify your identity security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds