What Happened
On July 12, 2024, AT&T disclosed that hackers had stolen call and text message records for nearly all of its wireless customers, approximately 110 million people, from a third-party cloud platform. The breach was part of the broader Snowflake customer data theft campaign (UNC5537) but stood out due to the sheer scale and sensitivity of telecommunications metadata.
The stolen data covered a period from May 1 to October 31, 2022, and a single day on January 2, 2023.
Exposed Data
The breach exposed phone numbers of AT&T wireless customers, call records showing numbers called and texted along with call duration, and cell site IDs from which approximate location data can be derived.
AT&T stated that the stolen data did not include the content of calls or texts, Social Security numbers, dates of birth, or other personally identifiable information. However, call detail records can reveal a great deal: communication patterns showing who talks to whom and how frequently, approximate location derived from cell site IDs, sensitive relationships indicated by calls to doctors, lawyers, journalists, or political organizations, and business intelligence from corporate call patterns.
How It Happened
The breach was part of the Snowflake campaign. Attackers used credentials stolen by infostealer malware to access AT&T’s Snowflake cloud data environment. The account did not have MFA enabled. AT&T learned of the breach on April 19, 2024, but delayed public disclosure until July 12 at the request of the FBI and DOJ, who determined that earlier disclosure could pose a risk to national security and public safety.
Timeline
Attackers accessed AT&T’s Snowflake environment and exfiltrated data between April 14-25, 2024. AT&T learned of the breach on April 19. The DOJ granted the first delay of SEC disclosure obligation on May 9, then granted a second delay on June 5. AT&T publicly disclosed the breach on July 12, 2024. Arrests of individuals linked to the Snowflake campaign occurred in November 2024.
Regulatory Implications
AT&T filed an SEC Form 8-K disclosing the breach as a material cybersecurity incident. The DOJ-approved disclosure delay was one of the first public uses of the SEC’s provision allowing delayed disclosure for national security reasons. The breach reinforced concerns about telecommunications metadata as a sensitive data category, and Congress debated whether call detail records should receive stronger legal protections. AT&T faced multiple class-action lawsuits alleging failure to protect customer data.
Key Lessons
Telecommunications metadata is highly sensitive. Even without call content, CDRs reveal communication patterns, relationships, and approximate locations. Third-party cloud security is critical, as AT&T’s data was stolen from Snowflake, not AT&T’s own infrastructure. MFA on all cloud platforms would have prevented this specific attack. Delayed disclosure can be justified for national security but creates tension with investor and consumer transparency expectations.