BrianKrebsJul 12, 2024

ICYMI, AT&T has acknowledged that cyber thieves stole basically the phone bills for all of their customers. The data includes information you would see on a phone bill, including the source and destination of calls on your AT&T mobile device(s), and the same for SMS messages.

AT&T said it delayed disclosing the breach "on national security and public safety concerns." And we're learning now that the FBI has confirmed this.

AT&T's SEC filing says some cellular site tower information is also among the data accessed by the intruders, which could be used to determine the approximate location of where a call was made or text message sent.

This raises an important question: Was the AT&T customer data stolen from a law enforcement portal set up by AT&T? Sure seems like it.

https://techcrunch.com/2024/07/12/att-phone-records-stolen-data-breach/

AT&T says criminals stole phone records of 'nearly all' customers in new data breach | TechCrunch

The stolen data includes 110 million AT&T customer phone numbers, calling and text records, and some location-related data.

TechCrunch
Show threadBrianKrebs

FBI declined to answer questions about whether this breach resulted from the compromise of data from some kind of law enforcement portal. Their statement:

"Shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident. In assessing the nature of the breach, all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety. AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work. The FBI prioritizes assistance to victims of cyber-attacks, encourages organizations to establish a relationship with their local FBI field office in advance of a cyber incident, and to contact the FBI early in the event of breach."

Jul 12, 2024 at 1:52pmWeb
Show threadGraham Sutherland / PolynomialJul 12, 2024
@briankrebs is it just me or is the national security mention tantamount to a tacit admission that it was likely related to law enforcement activity or capabilities?
Show threadGraham Sutherland / PolynomialJul 12, 2024
@briankrebs and I don't mean that in the sense that it's necessarily as a result of misuse or any particular wrongdoing on the LEAs' part, but it's common knowledge that major service providers have systems (typically web portals) for handling things like law enforcement requests, and this is precisely the language I would expect them to use if one of those got popped.
Show threadI Thought I Saw A 2 Jul 12, 2024
@gsuberland @briankrebs I read the "national security" part as meaning that government members use the AT&T network for communications, but I may be naive in assuming that.
Show threadChris Farris Jul 12, 2024
@briankrebs AT&T is not the victim here. AT&T Customers are the victim. AT&T is partially responsible for it's negligence in not having bleeping MFA on it's Snowflake database, and putting this data in a damn data warehouse to begin with.
Show threadLee Fife - old accountJul 12, 2024
@briankrebs So, it was compromised via a law enforcement portal ...
Show threadsynlogicJul 12, 2024
@briankrebs ie. its possible it was FBI or DoJ who was the orig end client
Show threadVessOnSecurityJul 12, 2024
@briankrebs That's a lot of words used to say basically nothing related to the question asked.