AT&T breach too big to ignore

AT&T has been hacked…again. Not to be confused with a massive data leak back in 2021, this latest breach involves the customer data of 110 million people. AT&T insists that no call or text content was compromised, only the metadata from that content. So instead of private conversations being leaked and sold all over the dark web, we might soon see phone numbers, call durations, cell site IDs and other location-related metadata go up for grabs. The lack of private content breached might come as a relief to some, but it simply serves as a reminder that our data privacy laws in the US are almost non-existent, non-regulated and have become just the cost of doing business. But can we afford it?

Speaking with News 12 NJ’s Walt Kane about AT&T’s massive data breach

An overly cynical viewpoint of this hack is that we have simply removed the middle man known as data brokers. You probably never heard of companies like CoreLogic, Epsilon, Acxiom, but you may have heard of Experian. These companies are data brokers and all make their revenue from buying access to metadata just like this from companies just like AT&T. Experian is not only selling data but also the credit freezing and protection services when your data is breached so they’re making money on both sides of the problem.

Instead of shady data brokers directly supplying your personal data to law enforcement, loan companies and even political consultants, the dark web is poised to collect metadata from 110 million AT&T customers. This breached data even includes some non-AT&T customers who were contacted or texted by AT&T customers. Once distributed across the dark web, chunks of data will be bundled and sold to hackers looking to pull out contact information to deploy phishing attacks and much more. The lines between local law enforcement collecting data on citizens and hackers collecting data on citizens can sometimes blur enough to make it difficult to tell which ones are the good guys and while proposals like FAINFSA (Fourth Amendment Is Not For Sale Act) would attempt to close the data broker loophole, we still do not have a federal mandate on our personal data.

It’s the metadata, stupid

Our most valuable data (passwords, financial account numbers, medical records, etc.) remain protected through a combination of obfuscation and encryption, but these defenses are still somewhat reliant upon the integrity our own security habits. We have some help from our devices, tech companies and even some deterrents in the form of basic legislation, but if you leave your phone unprotected with a security PIN and it is hacked, you really have no one to blame but yourself. Metadata is different from this private data. As consumers, we leave metadata breadcrumb trails everywhere we go and metadata is not protected in the same manner. For an example of the difference between our private data and our metadata, we need look no further than our own smartphone cameras. Every picture we take on our phones reveals exactly where, when and how we took that image. However, if there are people in that image or sensitive material, these are considered data and to be guarded fiercely. But the metadata that surrounds this sensitive data is generally unprotected and can be reverse engineered to fill in many blanks that the private data would’ve provided.

Metadata has been reverse engineered for years now. Redacted data can be exposed and location data can be exposedwhich can sometimes fill in even more details than the actual data especially in a court of law. For years, prosecutors and defenders have been citing cell site IDs to geolocate their clients. The data says nothing of motives or even proof in the way of innocence or guilt, but when you introduce enough circumstantial evidence into a case, it can not only create a very compelling argument for or against the burden of proof, but even defeat damning confessions and physical evidence in the minds of jurors.

Snowflake in the Cloud

AT&T might be responsible for this massive data breach but they weren’t the ones who were actually breached. Snowflake is a 3rd party cloud storage platform storing and analyzing exabytes of customer data. At some point in mid-April of 2024, Snowflake was compromised by attackers using stolen login credentials provided by an installed malware package called Infostealer. Due to a lack of MFA (Multi-Factor Authentication) enforcement in Snowflake’s security infrastructure, hackers were able to exfiltrate massive amounts of data. Snowflake has since increased reliance upon MFA but this is only due to the public and media scrutiny they have faced. The larger problem falls back into AT&T’s court. Cloud, payment and support systems are too complex for even billion dollar companies like AT&T to handle internally which is why they outsource these services to a variety of providers. These relationships are generally good for the consumer but when 3rd part vendors aren’t vetted properly or audited regularly, security is always the first casualty.

Snowflake does more than just store data. They use AI and ML to analyze tons of data for AT&T and other high profile clients. This means that not only was AT&T customer data stolen, it was also analyzed and packaged for AT&T to sell to the highest bidder. The only question is will the highest bidders contact “legitimate” data brokering services or simply go directly to the dark web to get the stolen data.

You may recall another massive breach from way back in 2013 involving Target. Fazio Mechanical was one of many vendors working with Target but they were the only ones who were infected by malware allowing entry into Target’s vendor portal. Without proper compartmentalization of this portal, Target faced root compromise of servers. It’s hard to believe that the Target hacking story was the first major breach I covered. What’s even harder to believe is that such a large breach only amounted to an $18.5 million fine. Fast forward 11 years and it appears little has changed. Let’s hope that the monetary fines are adjusted not just for inflation but also for culpability.