AT&T says criminals stole phone records of 'nearly all' customers in data breach

Original Article ↗ Hacker News Discussion ↗

Breach scope, timing, and process

  • AT&T says “nearly all” wireless customers (and many landline contacts) had call/SMS metadata taken from its Snowflake cloud deployment.
  • Dataset spans ~May–Oct 2022 plus some records from Jan 2, 2023; AT&T had earlier, separate SSN/PII leaks as well.
  • AT&T learned of this incident in March/April 2024 but public disclosure was delayed after DOJ twice requested ~1‑month delays under new SEC/DOJ “cyber incident” rules.
  • Many commenters see the 3–4 month lag as unethical even if technically allowed; some question why this wasn’t deemed “material” for prompt SEC disclosure.

Snowflake vs. AT&T: who’s at fault?

  • One camp blames AT&T: reused or stolen credentials, no MFA, internet‑reachable Snowflake tenant, and massive sensitive dataset in a third‑party cloud.
  • Another camp spreads blame to Snowflake: weak security defaults, no easy tenant‑wide MFA enforcement until recently, and a design where a single username+password could exfiltrate huge volumes.
  • Others emphasize “shared responsibility”: Snowflake provides tools; customers must enforce MFA, IP allowlists, VPN/PrivateLink, and proper off‑boarding.

What was stolen and why it matters

  • Data: phone numbers (including counterparties, MVNO users, and some landlines), who contacted whom, plus cell‑tower IDs for many records; no content, and reportedly no timestamps.
  • Commenters stress metadata is still highly sensitive: enables social graphs, likely home/work/relationship inference, and targeting of:
    • People in affairs, political or activist networks.
    • Patients contacting abortion or mental‑health services.
    • Abuse victims calling lawyers or hotlines.
  • Anticipated abuse: tailored scams, extortion, improved caller‑ID spoofing, SIM‑swap targeting, and AI‑assisted mining of large graphs.

Surveillance, data retention, and purpose

  • Strong criticism that telcos retain detailed records long after billing needs, especially for ex‑customers.
  • Several link this to:
    • Government pressure and national‑security uses (FBI/NSA access).
    • Monetization via data brokers, “alternate credit scoring,” and hyper‑targeted marketing, referencing Snowflake’s own telco marketing language.
  • Some argue the true “leak” is upstream: the decision to centralize and repurpose this data at all.

Law, incentives, and consumer recourse

  • Broad consensus that current US penalties are too small; class actions usually net customers pennies while lawyers and firms move on.
  • Proposed fixes: per‑user statutory damages, very large percentage‑of‑revenue fines, lifetime credit monitoring, bans on forced arbitration, stronger whistleblower protections, or even treating excessive retention as illegal.
  • Skeptics warn that over‑regulation/licensing could create security theater, regulatory capture, and ossified “big tech utilities.”
  • Practical advice in the thread: keep credit (and ChexSystems) frozen by default, minimize use of SMS (especially for 2FA), and assume core personal data is already widely compromised.