The AT&T Data Breach: How Advisors Can Protect Their Firm and Their Clients
Membership required
Membership is now required to use this feature. To learn more:
View Membership BenefitsAdvisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
The frequency and scale of data breaches continues to increase at an alarming rate. This poses new threats for wealth management firms and their staff to recognize malicious activity on client accounts and impersonation attempts by bad actors through deep fakes. One recent set of data breaches at AT&T raises alarming questions about the safety of consumer data with AT&T and how this breach can affect wealth management firms.
AT&T admitted its second major data breach for the 2024 calendar year. It released details about the breach on July 12th, outlining that a threat actor downloaded a massive amount of data. We believe that this information, used in concert with the data from their first data breach, provides bad actors with all the information needed to perpetrate highly detailed deep fakes of wealth management clients.
This article examines both breaches at AT&T, discusses how the data can be used to perpetrate detailed deep fakes, and shares how you can advise your clients and staff to protect your clients’ investments.
2021 breach
Before the 2024 breaches, data from over 70 million AT&T customers was posted for sale on an online cybercrime forum in August 2021. A threat actor, known as ShinyHunters, first posted the data set online for a starting price of $200,000 with incremental offers of $30,000 and a “buy now” price of $1 million. So, if you ever wondered what your personal information is worth on the dark web, it’s about 1.43 cents USD. ShinyHunters shared samples of the data at the time that included customers’ names, addresses, phone numbers, encrypted Social Security numbers, and encrypted date of birth.
ShinyHunters is a well-known threat actor with a history of compromising developer repositories to steal credentials and application programming interface (API) keys. Threat actors often attempt to compromise developer repositories because they can contain the credentials (user ID and password) for accessing production databases using an API. The threat actor can copy large portions of the database if they can access it. AT&T denied that the information was from their systems or that they suffered a breach, despite ShinyHunters’ long history of successful hacks. We do not know if AT&T attempted to validate the data in August 2021. However, cybersecurity experts with access to some of the sample data confirmed that parts of the data matched current AT&T customers.
Fast forward to March 17, 2024, when another threat actor named MajorNelson leaked data from the 2021 data breach on the same cybercrime forum. MajorNelson had unencrypted the Social Security numbers and dates of birth from the original file and confirmed the number of records at 73,481,539. They offered the data set for free and included samples of the data with unencrypted information.
The practice of releasing older data sets into the public domain has become common practice in cybercrime forums. Older data sets can be combined with new – also known as ‘fresh’– data sets to offer a more complete profile of a target person for cybercriminals. Older data sets can be used to validate fresh data sets as well. This increases the prices for fresh data sets, which hold a higher commercial value when augmented with older data sets. This will be important later in our article.
BleepingComputer verified some of the data, including Social Security numbers, addresses, dates of birth, and phone numbers, in March. They also outlined how the 73 million records were likely a partial data set when considering the 201.8 million AT&T subscribers at the end of 2021. Pressure on AT&T continued to mount as other cybersecurity professionals validated the unencrypted data.
Finally, AT&T confirmed the data breach on March 30, 2024 that occurred in 2021. Their statement said in part:
“AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.”
However, this statement is misleading since AT&T was contacted in 2019 by several cybersecurity experts and they denied that they were the source of the data or that the data was representative of their customer base.
2024 breach
AT&T learned that a threat actor claimed to have unlawfully accessed and copied AT&T data on April 19, 2024. This was disclosed in a Securities and Exchange Commission (SEC) filing and a statement released by AT&T on July 12. The Federal Bureau of Investigation (FBI) and Department of Justice (DOJ) worked together with AT&T to delay the public reporting of the breach twice between April and July due to potential national security or public safety concerns.
The cybersecurity disclosure rules from the SEC require companies to disclose any material security incident and outline its nature, scope, the timing of the incident, and its likely impact. The SEC rules compel companies to file a Form 8-K to disclose the cybersecurity incident within four business days after determining an incident is material.
This appears to be the first cyber incident in which the Justice Department has asked a company to delay filing a disclosure with the SEC because of potential risks to the public.
The breach includes data of nearly all of AT&T’s mobile customers between May 1, 2022 and October 31, 2022 and was copied by a threat actor before or in April. AT&T listed approximately 110 million wireless subscribers at the end of 2022 and this data breach affected approximately 109 million subscribers. This breach includes call and text logs. The log files contain a record of every number that AT&T customers called or texted, the number of times they interacted, and the call duration. This includes calls and texts to customers of other wireless networks.
AT&T confirmed that this is a new incident and not related to the breach announcement from March. However, threat actors can use the data from the 2021 and 2022 breaches to develop an incredibly detailed view of AT&T customers.
Putting the data together
The key to joining the 2021 and 2022 breach data is the phone number. The 2021 breach includes the name, phone number, social security number, and date of birth of the AT&T customer. The 2022 breach includes the phone number of the AT&T subscriber, the numbers they called or texted, the number of times that they interacted, and the call durations.
The data from the 2021 breach enables threat actors to steal the identity and/or open additional financial accounts of the AT&T customers from the first breach. The 2022 data set now describes the AT&T customer’s personal relationships. A threat actor with both data sets can know the contacts of the AT&T customer, including their:
- Romantic partners;
- Children;
- Family members; and
- Inner circle of friends and business associates.
The communications metadata can be used to correlate the AT&T subscriber and their contacts with publicly available information and easily derive their identities in many cases. The combined data enables a threat actor to create an incredibly accurate picture of the AT&T subscriber. The threat actor may be able to derive key information to answer security questions to access online accounts that are not enabled with multi-factor authentication.
Perpetrating deep fakes
A deep fake is a type of artificial intelligence technology that creates realistic but fake images, videos, or audio recordings. Think of it as advanced digital editing. For example, a deep fake could make it look like someone said or did something they never actually did by superimposing their face or voice onto another person’s actions. One of my favorite examples of a deep fake video impersonates Morgan Freeman from July 2021.
This technology can be used for nefarious purposes, such as spreading false information or committing fraud, making it a significant concern for financial advisors who rely on accurate data and trustworthy communications. Understanding and recognizing deep fakes is crucial to safeguarding your clients’ assets and your professional integrity.
Unfortunately, the information exposed in the AT&T and other breaches makes this incredibly difficult. Bad actors have access to a significant level of information that they need to answer security questions to access online accounts. Financial advisors must act in the best interest and utmost good faith of clients for an advisor to meet their fiduciary duty. Providing guidance to clients to protect their financial accounts from cybersecurity threats is a fundamental responsibility of a financial advisor.
Protecting your customers and firm
I published an article last month that discussed how to protect your wealth management firm in the face of the unprecedented size and frequency of data breaches currently seen. We strongly recommend implementing several steps within your firm:
- Multi-factor authentication for your team members on any device that accesses your data, including their laptop, mobile phone, and tablets.
- Passcodes in your customer relationship management (CRM) system for your clients. Always call your client to confirm their instructions and their passcode before discussing sensitive information with the client.
- Take your time. Bad actors may contact your firm to gather additional information on your client who is or was an AT&T customer. Your team members should be vigilant to a rise in phishing attacks from bad actors.
Your team members can advise your clients to take the following steps:
- Take your time. Phishing attacks often impersonate people or brands you know. Keep vigilant for bad actors using the breach to their advantage with themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. Be wary of any calls from AT&T as they are very unlikely to contact individual subscribers about the data breach.
- Enable multi-factor authentication on your email that you use with your financial advisor.
- Change the password on the email address that they used with their email address for their AT&T account (if they have one). This is especially important if their password is related to any personal relationship that they have, such as their partner’s name and/or birthdate. This password may be broken easily using a brute force method from the information gathered in the breach.
Financial advisors have an opportunity to help their clients at this time when many may be seeking help. They have a responsibility to protect their firms. I encourage all advisors to take these steps to protect their firm and clients.
John O’Connell, founder and chief executive officer for The Oasis Group, specializes in helping wealth management and technology firms solve their most complex challenges. His newest online training courses serve as a leading source of education for financial professionals at all levels in their careers. With modules ranging from cybersecurity to custodian markets and more, The Oasis Group enables firms and enterprises to upskill, learn at their own pace and rewatch lessons to reinforce specific learning objectives. Get an additional 20 percent off any course with coupon code ADVISORPERSPECTIVES.
A message from Advisor Perspectives and VettaFi: To learn more about this and other topics, check out some of our webcasts.
Membership required
Membership is now required to use this feature. To learn more:
View Membership Benefits