Features 22.08.2024
An AI Autopsy: AT&T’s 2024 Data Breaches
The first in our AI Autopsy series…Features that analyse and dissect recent cyber incidents, providing lessons learnt so cybersecurity professionals can avoid history repeating itself
Features 22.08.2024
The first in our AI Autopsy series…Features that analyse and dissect recent cyber incidents, providing lessons learnt so cybersecurity professionals can avoid history repeating itself
As far as data breaches go, US telecoms giant AT&T is having a bad year. In July, AT&T admitted adversaries had stolen a cache of data, including the call records and numbers of “nearly all” of its customers, amounting to over 10 million people.
The breach resulted from an attack on a third-party platform Snowflake, but the impact on AT&T’s reputation suffered all the same. Some reports suggest the firm paid $400,000 to attackers to erase the data, which included metadata – but, crucially, not the content of calls and messages – as well as the phone numbers of non-customers.
The breach data covered six months’ worth of customer information in 2022 and records from January 2023, including personally identifiable information.
AT&T discovered the breach three months earlier, in April, but reported it four months later, in July. The FBI had asked AT&T to delay disclosure to the Securities and Exchange Commission due to potential national security and public safety concerns.
It was AT&T’s second breach of 2024. In March, 73 million customer records, including personal information and encrypted passcodes, were posted to a cybercrime forum for anyone to see.
It goes without saying that it has been a tough year for the AT&T team, but there’s a lot to be learnt from what happened. Assured Intelligence has taken the time to put together a list of five important takeaways following the two breaches.
1: Think twice before paying the ransom
As mentioned above, reports suggest that it’s likely that AT&T paid the Snowflake attackers to delete customer data. However, many lawmakers and experts advise against this course of action in the event of ransomware attacks, instead advising against paying the ransom.
After all, giving attackers what they want doesn’t ensure they delete the data, and paying ultimately fuels the ransomware business model, arguably leading to further attacks across the board.
Of course, that’s much easier said than done. If the AT&T records were stored in Snowflake using a poorly secured user account and data was ransomed, this sets a bad precedent for motivating future attackers, says Sara Boltman, founder of data consultancy Butterfly Data. “Even if they only paid around one-third of the original demand, that’s not great for the rest of the industry as it only encourages attackers.”
2: Breaches can damage your brand
As AT&T will be painfully aware, breaches don’t just create unwanted headlines; they also affect the brand. AT&T may face “substantial reputational damage” and “loss of customer trust,” leading to possible churn and increased costs for customer support and remediation efforts, says Nitin Sonawane, co-founder and CPO at security firm, Zilla Security.
While AT&T took immediate steps to address the March breach by resetting account passcodes, the extent of the July breach has raised questions about the firm’s overall preparedness and security measures, says Sonawane.
3: Customers might need protection
Following a breach, firms need to consider their customers, especially if their data has been exposed as it was in the AT&T breaches. For example, they might be at increasing risk from social engineering and phishing emails using leaked credentials.
“They have the potential to spy on their activities and use this information in extortion efforts – perhaps if a customer had been calling a specific number, say dating lines or for medical treatment” Paul Lewis
Stealing call records is “interesting” for a cyber criminal, as it exposes information on the customer’s life, says Paul Lewis, CISO of Nominet. “They have the potential to spy on their activities and use this information in extortion efforts – perhaps if a customer had been calling a specific number, say dating lines or for medical treatment.”
After the AT&T breaches, exposed data included phone numbers, call records, and the metadata of calls, which can reveal who called who and when, potentially indicating approximate locations, says Sonawane. “In the March breach, personal information such as names, mobile numbers, and postal addresses were compromised. The implications are severe, as this data can be used for phishing, smishing, identity theft and other malicious activities.”
Considering this, it’s essential to ensure customers are updated and aware of how their information could potentially be used in attacks following a breach or leak of information.
4: Respond quickly and transparently
Everyone knows response is integral when it comes to cyber attacks. According to Nominet CISO Lewis, AT&T did everything correctly following the breach – notified customers, law enforcement and regulators, helped customers, and called in an independent specialist cyber investigation team.
AT&T also collaborated with law enforcement and cybersecurity experts to “close the security gap” and mitigate the risk of anything further occurring, says Lorri Janssen-Anessi, director of external cyber assessment at managed detection and response platform provider, BlueVoyant. “The company has informed affected customers and provided resources to help safeguard their personal information.”
As such, Janssen-Anessi praises AT&T for transparency and open communication: “It helps maintain trust and hopefully prevents further damage.”
5: Third-party suppliers pose a risk
Another lesson from the most recent AT&T breach involving Snowflake is the reliance on third parties by many firms and the risk this consequently poses, says Sean Wright, head of application security at Featurespace. “Organisations must perform their own appropriate due diligence to make sure the vendors they select are sound from a security perspective, as well as making sure the use of those services is carried out in a secure manner.”
“There should never be a case where stolen or reused credentials can allow an attacker to gain access to your sensitive data” Matt Aldridge
This should include a periodic review to ensure changes in terms of functionality and configuration options are appropriately implemented. At the same time, Wright advocates periodic reviews on the vendor “to ensure they are keeping their own security current and to an acceptable standard”.
The AT&T Snowflake breach highlights the necessity of “rigorous and proactive supply chain security”, agrees Matt Aldridge, principal solutions consultant at OpenText Cybersecurity. “This is a reminder for organisations to ensure their partners and suppliers adhere to strict cybersecurity standards.”
It might be all the rage, but Aldridge recommends firms are cautious about rushing to automate their security processes. “It is critical first to manually identify and understand the full scope of your supply chain exposure. Only then can thoughtful automation add value without introducing new risks.”
Aldridge says that effective supply chain security also hinges on strong communication between security teams and business units. “Extending dashboards and reporting capabilities to business unit leaders and IT managers can enhance effective communication, ensuring everyone involved understands the risks and is prepared to act.”
When relying on cloud service providers like Snowflake for the security of sensitive data, it is essential that they’re configured for maximum security. As part of this, firms should ensure full activity logging is available and that authentication fully complies with organisational single-sign-on and multi-factor authentication policies, says Aldridge. “There should never be a case where stolen or reused credentials can allow an attacker to gain access to your sensitive data.”
Threat intelligence also plays a crucial role in informing your areas of focus, Aldridge says. “Having awareness that a cloud service dependency is being attacked in a particular way, for example, can allow you to mitigate any elevated risks.”
In short, breaches make headlines, but how you handle the fallout can help limit the damage. Clear, concise communication and offering help to impacted customers can significantly reduce the impact on your brand and reputation. At the same time, supply chain security is key. Always vet your suppliers and have a solid strategy to ensure you aren’t hit by cyber attacks that impact third parties.