AT&T Loses Data on 110M Customers
7–15–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, July 15, 2024, and I’m actually recording this episode on Sunday evening ahead of a week of travel. Obviously lots of front page, above-the-fold news in the world that’s not cyber related, but I’ll leave that to others to cover. We’ll try to stay focused here either as a bit of a refuge or a distraction, up to you.
AT&T Loses Phone Records of ‘Nearly All’ Customers
Unfortunately, there’s another big hack to cover this week, with AT&T announcing that “customer data was illegally downloaded from our workspace on a third-party cloud platform.” They are, of course talking about Snowflake - which is something we’ve talked about at length on this show. In a moment of too little, too late, Snowflake did announce last week that administrators of Snowflake instances can now enforce mandatory Multi-Factor Authentication - but AT&T’s incident happened in April.
AT&T notes:
“the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T's cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T's wireless network, as well as AT&T's landline customers who interacted with those cellular numbers between May 1, 2022 - October 31, 2022”.
Reporting indicates that there are about 110 million impacted customers, and others are tying an American hacker in Turkey to the attack.
Remember, however, that it really doesn’t matter NEARLY as much “who” perpetrates these attacks - or even why - but rather how. In this case, compromised credentials from a shared Telegram channel targeting telecom companies and this specific Snowflake instance, which was running under one subdomain (think “shared tenant”).
So - other than offering yet another heavy sigh - what do we do to avoid this at a smaller scale for our companies (since none of us are as big as AT&T).
I think there’s some really simple things we can do to reduce this risk:
Have a Data Retention Policy, and if you don’t need it, delete it - programmatically. You can’t lose what you don’t have.
Encrypt At Rest. If you need to keep large amounts of data, ensure that it is stored in an encrypted fashion.
Manage Identity & Access Management like a damn ninja. Seriously, if you’ve got lots of sensitive data that provides real value to your firm, or clients, lock that stuff down. MFA, sure, but other layers that help identify potentially risky or malicious activity, because if you think it’s that valuable, someone else will, too.
There’s some good discussion taking place online by Rachel Tobac, that we don’t have time for here, about how this data might be misused by threat actors to carry out further crimes - including the obvious things like Social Engineering, but also a tremendous amount of details that might fuel convincing spear phishing, reveal sensitive connections, conversations, and locations, and more.
One other bit of cleanup news, CNN has now reported that auto dealer software firm CDK Global paid a ransom of $25M. Given the fact that they’re now substantially back to normal, and that dealers appear to not have lost any of their data, one imagines this ransom payment was absolutely worth it, and also that it will continue to encourage ransomware actors to develop and deploy more and more sophisticated ransomware that is capable of non-destructive restoration when the ransom is paid. As CISA’s Jen Easterly has said, ransomware payment bans in the US simply seem dead in the water at this point.
It’s rough out there, and only going to get rougher in a lot of ways. Buckle up, manage those things that you can, and raise risks when you see them. Wild ride ahead.
Fundraising
From a fundraising perspective, we turned in frankly a great week - in terms of both total capital committed and then number of funds announcing.
That would be more than $21.5B across 23 funds, for an average fund size of nearly $1B. Not bad for the second week of July, and puts us over the $50B number for the month already.
With the rumors of Google buying Wiz for $23B, however, it does seem that prices are going up and that money is going to need to be put to use, and soon. In some ways, this might be hopeful news that will kickoff a flurry of deals - and potentially IPOs - providing both some needed liquidity in the market and release a new wave of innovation for those who have been locked up longer than they’d have liked.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.snowflake.com/blog/snowflake-admins-enforce-mandatory-mfa/
https://www.cnn.com/2024/07/11/business/cdk-hack-ransom-tweny-five-million-dollars/
https://techcrunch.com/2024/07/12/att-phone-records-stolen-data-breach/