House lawmaker demands answers from AT&T on recent data breach

A House lawmaker is seeking details on a recently disclosed AT&T data breach that exposed nearly all customers’ phone numbers, according to a letter first shared with Nextgov/FCW.

Rep. Abigail Spanberger, D-Va., asked AT&T CEO John Stankey about the company’s incident response efforts after the breach was disclosed, as well as whether the telecom giant would be offering fraud monitoring services, among other questions.

AT&T first disclosed the incident July 12 after hackers had accessed the stolen customer data through Snowflake, a cloud platform provider. The company last week told Nextgov/FCW that most phone numbers connected to the Commerce Department-managed FirstNet public safety service that’s used by first responders were compromised in the breach.

“This stolen customer data — which includes valuable call records, records of text message exchanges, and personally identifying information — becomes especially perilous when acquired or purchased by foreign adversaries,” wrote Spanberger, who is a former CIA officer.

“When armed with this valuable information, maligned governments — like the Russian Kremlin and the Chinese Communist Party — and state-sponsored intelligence agencies could trace these phone numbers back to their owners to expose contacts, sensitive communications networks, and even the precise locations of callers,” she added.

The stolen data on nearly all AT&T customers includes both cellular and landline phone numbers, along with call and text message records — detailing who contacted whom — over a six-month window from May 1, 2022 to October 31, 2022.

The pilfered data didn’t include the specific contents of the calls and text messages, or times and dates of the conversations, but it includes records of interactions between AT&T phone numbers during the six-month period, including the total number of calls and texts and the duration of calls. At least one person has already been arrested in connection with the breach.

The FirstNet service is used by federal, state, local and tribal governments’ emergency response departments. The full extent of the breach’s impact on federal entities is not entirely known.

AT&T is one of the top telecom and network suppliers to the federal government. It’s a prime contractor on the $50 billion Enterprise Infrastructure Solutions contract — a multiple award program where agencies can issue and award task orders — that’s administered by the General Services Administration.

Agencies that tap AT&T for telecommunications services include the Departments of Homeland Security, Justice, State and Veterans Affairs, as well as the Defense Department and the intelligence community. The company in 2018 notably secured a hefty classified contract with the National Security Agency.

Some of the stolen records also fall on January 2, 2023, affecting a smaller, unspecified number of customers. Additionally, the stolen data includes call records of customers from other cell carriers that use AT&T’s network.

Spanberger's letter follows a related Senate inquiry sent to Stankey last week. The Federal Communications Commission also said that it’s conducting an investigation. 

“We have received the letter from Rep. Spanberger and will be responding,” a company spokesperson said in an email.

The call logs were first stolen in April, but the company — which is publicly traded and required to adhere to strict disclosure requirements set by the Securities and Exchange Commission — obtained an unexplained national security exemption to delay the breach notification, it said in its filing of the incident.

In May, AT&T made a $370,000 payment to the ShinyHunters hacking group to delete the stolen records, WIRED reported July 14. The cybercrime collective has recently been using stolen data from vulnerable Snowflake enterprise accounts as leverage to blackmail several targeted companies. Spanberger in the missive asks whether the company has any reason to believe the stolen data is still in the open or was sold to another third party.

She also asks Stankey if the company has instituted new security features like multifactor authentication, designed to double check whether a user is masquerading as someone else when logging into a system.

While only phone numbers were obtained, they can be easily used to build out profiles on government staffers, and attempted cyberattacks on federal employees should be expected to increase, a security practitioner told Nextgov/FCW when the incident was first disclosed.