What You Need to Know About AT&T’s Data Breach and How to Secure Your SaaS Data

Arguably, it is one of the worst breaches that has happened recently. AT&T disclosed in mid-July 2024 that data from over 109 million US customer accounts was compromised in a massive breach. Let’s look at the breach event, how it happened, and lessons learned for organizations looking to learn from this most recent major breach incident.

AT&T hack overview

On July 12, 2024, AT&T announced that it had data from around 109 million US customer accounts illegally downloaded in a data breach incident. The breach affected a large number of AT&T customers, leading to concerns over the potential for misuse of the stolen data. 

As to the extent of the breach, it is thought to have affected nearly all AT&T customers. Attackers stole what was the equivalent of call data records (CDR). These are a treasure trove of information for gathering intelligence as they can be used to understand who is talking to which users, when they are talking, and their approximate locations.

What happened in the attack?

The AT&T breach event involved the unauthorized download of customer data from AT&T’s systems. The data was illegally downloaded over eleven days or so and included phone call and text message records, call durations, and cell tower identification numbers. 

This type of information can be used for intelligence analysis, revealing communication patterns, and even exposing sensitive conversations. Cybercriminals can use the information for all kinds of nefarious activities, including identity theft, phishing attacks, and other malicious activities and information gathering.

How did the attack happen?

AT&T disclosed that the breach occurred through compromised credentials involving third-party vendors. The attackers seemed to have gotten their foot in the door by obtaining stolen credentials on the dark web, which was connected to another recent high-profile breach involving the cloud data company Snowflake. These compromised credentials included usernames, passwords, and authentication tokens gathered using malware. 

Who?

The cybercriminal group UNC5537 is the threat actor behind the attack on AT&T’s data. They are said to be financially motivated and have members that span from North America to countries in the Middle East.

Breach impact

The impact of the breach goes beyond AT&T as an organization and also affects its customers. The preceding breach of Snowflake that ultimately led up to the AT&T attack affected other companies, including Ticketmaster, Santander, Neiman Marcus, and LendingTree. The way these two breach events are connected helps to emphasize the broad implications of third-party vulnerabilities and the interconnected nature of modern data systems and Software-as-a-Service platforms in the cloud.

Even large corporations face challenges in safeguarding sensitive customer information from risks, including targeted phishing and smishing attacks, online fraud, and data leaks. This is especially the case if cloud SaaS services that these rely on are compromised.

AT&T breach implications

The scale of this breach is staggering. AT&T estimates some 109 million accounts have been compromised as a result. Due to the massive scale, the implications of the breach are severe and place the personal information of millions in jeopardy, possibly leading to the following:

• Identity Theft – Criminals can use stolen data to commit fraud, open unauthorized accounts, and pursue illegal activities.
• Financial Losses – AT&T and its customers may face financial damages, ranging from damages from the breach itself to potential fines and legal actions.
• Reputation Damage – AT&T’s reputation has taken a hit, and it faces the prospect of losing customer trust and confidence.

How SpinOne can help

In the aftermath of the AT&T breach, organizations must use the lessons learned to bolster the security of their data. Modern businesses are heavily leveraging cloud infrastructure and productivity platforms like Google Workspace and Microsoft 365. 

The breach highlights the need to have visibility of who has access to which data and use automated cybersecurity protections to raise alerts when there are events involving abnormal downloads from cloud environments. 

SpinOne is a modern, fully-featured solution that uses AI and machine learning to bolster security for SaaS environments like Google Workspace and Microsoft 365. SpinOne can provide protection in several key ways. Note the following layers of protection offered by SpinOne:

• Compliance risks – helps to increase regulatory compliance
• Data leak prevention – allows organizations to have complete visibility over data sharing
• Data loss prevention – SpinBackup provides incremental backups for SaaS data
• Insider threats – identify and address insider threats with SpinDLP, which uses algorithms to detect anomalies
• Misconfiguration management – allows you to automate misconfiguration management
• Ransomware downtime – it provides fully automated ransomware protection that can automatically remediate and protect SaaS from ransomware
• Shadow IT – visibility and incident response to shadow IT activities
• Third-party risk – automated risk assessments to understand the risk profile of third-party SaaS apps and browser extensions

By using modern artificial intelligence and machine learning, Spin helps to level the playing field with modern cybersecurity threats. Let’s dive deeper into some of the features that Spin offers to help protect against data breaches and abnormal data downloads and exfiltration as seen in the AT&T data breach.

Abnormal Download Detection

When we look at the fact that the attackers accessed AT&T’s workspace on a third-party cloud platform and then proceeded to illegally download sensitive information, having visibility to these types of actions and abnormal behaviors is critical. 

SpinOne uses advanced algorithms and machine learning to monitor and detect unusual download activities. It means that if an abnormal volume of data is accessed or downloaded, SpinOne can quickly identify this activity and alert administrators. This early detection helps prevent data breaches and mitigate their impact.

Detailed Access Logs

SpinOne provides visibility into who has access to what data within an organization. Having this visibility helps to make sure any unauthorized access attempts are identified as soon as possible. It allows organizations to track user activities and make sure that sensitive data is accessed only by authorized personnel.

Automated risk assessments

SpinDLP provides automated risk assessments of third-party SaaS applications and browser extensions so IT admins and SecOps understand all apps integrated into the environment and the risk profile of the app or extension. Even if the app was initially deemed safe, if the risk profile changes over time, Spin helps surface these risks so “leaky” or outright malicious applications can be blocked from use.

The automated risk assessments are used by Spin’s automated policies that can allow or block apps or extensions based on their risk score. This cybersecurity automation takes the heavy lifting out of manual efforts to understand the risks of all integrations in the SaaS environment.

Wrapping up

Handling large quantities of sensitive data can be challenging for organizations using modern cloud environments. A single breach of a large cloud data company, such as the recent breach of Snowflake, can have long-lasting implications in further breach events and compromises. 

Modern businesses must implement advanced security measures to even the playing field with cyber attackers. Human efforts in monitoring and performing risk assessments are no longer enough or effective. SpinOne is a solution that can play a vital role in enhancing data security. It provides visibility into abnormal download activities and helps SecOps and IT Ops understand who can access which data. It also helps to protect sensitive data from data leaks.

If you would like to see how Spin can help your organization meet modern cloud cybersecurity challenges, sign up for a demo here: https://spin.ai/demo.