AT&T Snowflake Hack
It seems we've become increasingly desensitized to data breaches. The initial outrage quickly fades as the offer of free credit monitoring feels more like a sales pitch than a solution. Fewer and fewer of us take up the offer.
Another week another data incident.
Last week, I received a notification from Rite Aid about my inclusion in a data breach—ironic, considering I can barely remember the last time I visited one, especially since the nearest store closed over two years ago. Yet, this pales in comparison to a more significant breach at AT&T, where the call logs and text messages of their entire customer base for a six-month period in 2022 were exposed. AT&T quickly pointed the finger at a third party
We meet again dear Snowflake…
The extent of the leaked data is concerning. It ranges from what might seem benign, like metadata, to highly sensitive information including the actual text of messages. Here’s what could have been exposed:
What could someone like me do with that data? This is a little exercise what you could pull from that data in little to no time.
(BTW, I’ve had teams who have had access to the AT&T call log database for research in the past, the security then around internal access and justification for access was exceptionally high, we had to have people do additional background checks just to view meta data and were never allowed context access, this breach was a major let down considering the processes that were in place)
Real world impacts
Grandparent Scams:
Armed with details like names and nicknames, scammers can convincingly impersonate a grandchild in trouble. This scam costs elderly Americans about $800 million annually. With direct access to a family’s communication, the success rate of these scams could skyrocket.
Imagine a scammer spoofing a grandchild’s phone number, it pops up on the grandparents screen as coming from a family member, the scammer can reference recent events or conversations, making the deception nearly foolproof.
Infidelity
The Ashley Madison hack led to overestimations of its impact on marriages, but the actual effect was muted. Private Equity money poured into divorce attorneys with a belief that 30 million marriages were on the chopping block.
That did not happen, instead may lawyers had to explain that most of the accounts were fake, a fraction of a percent were real and even less had in real life meet ups. Outside of the courts, was a different story, we do know of at least two deaths that can be attributed to the hack, reputations and jobs were lost, and several celebrities were traced to private profiles.
The AT&T data is different as it contains not just intent, but location data
And GPS data that matches, a lawyers dream.
Illicit Activity (no shade)
Lets take recreational drug usage, the pagers from the 1990s are no more say for the odd doctor, replaced with SMS messages. The more savvy I'm assuming are using encrypted E2E platforms.
Those messages can expose the drug of choice, frequency of use, the amount of money spent on it.
The when, where and who participated, and possibly what occurred afterwards, as in did you pick up your kids from school after doing lines?… Ok too extreme.
However in the US it is possible for law enforcement to use data from a data breach, in an unrelated criminal case. It’s questionable, but it has had precedence.
领英推荐
What about legitimate but highly personal information, say your healthcare?
Healthcare Privacy
Prescription notifications like “Your prescription for GAB is ready for pickup” might seem cryptic, well here’s the rub;
The average PCP primary care physician, issues only about 30 different types of prescription drugs, plus the occasional specialist one, but mostly its inflammation, pain management, blood pressure, infections, common viral diseases, symptom treatments (side effects from other treatments, e.g. chemo ), STI’s etc..
The average pharmacist only stocks about 300 different types of medications on site. That’s how they’re able to fit pharmacist into a large closet in the back of your local supermarket.
Making the 3 letter combination highly guessable.
Your prescriptions are now public
By the way, CVS and I'm assuming others provide a link to view details of your picked up prescriptions that isn’t password protected.
Thankfully it’s deleted after a certain amount of time, but with the right window, your full prescription, refill info, dosage, insurance co-payment, doctor details are viewable, and linked to in your text messages …
Appointment reminders
“Please reply with Y or N to confirm your appointment with Dr. Weird Toes “
A little tongue in cheek but there are so much data that can be derived from a name and location, institution like family planning, cancer centers, therapists, etc.. Are a lookup away.
And so much more..
Personal relationships, grievances, momentary frustration, work thoughts, risky jokes, data that we hold as highly contextual for the person who has known you for decades and knows if we really meant it, is now in a dark corner of the web waiting to get exposed.
AT&T you have failed us
For AT&T to simply blame a third party is unacceptable. Customers entrusted you with highly private data, and that trust was once justified by the security measures that were impressive and respectable.
However, this breach has shattered that trust. We, as customers, have not only become the product— with our data is mined and exploited for political campaigns, targeted advertising, adaptive pricing, and more.
Now, with such breaches, we are also the victims, left vulnerable to scams, blackmail, and identity theft. It's crucial that companies not only secure our data but also take full responsibility when they fail to protect it.
Chief Information Security Officer at PowerSchool
7 个月This is part of the larger snowflake hack from late-May. From AT&T's 8K filing with the SEC, they delayed going public at the request of the FBI. Makes you wonder what other shoes are waiting to drop.