.png)
AT&T Data Breach 2024
Breach Summary
The AT&T data breach of 2024 was actually two separate incidents affecting nearly 110 million AT&T customers. The first, in March 2024, involved data from a 2021 database that had circulated on the dark web. The second, in July 2024, revealed that records of virtually all AT&T customer calls and texts from 2022 had been stolen from AT&T's Snowflake cloud environment — one of the most consequential telecom breaches in US history.
What Happened
AT&T disclosed the July 2024 breach after initially delaying disclosure following a request from federal law enforcement that disclosure could interfere with investigations. The company paid $370,000 to hackers who claimed to have deleted their copy of the data. One individual was arrested in connection with the broader Snowflake campaign. The March 2024 incident — data from a 2021 stolen database containing Social Security numbers and account information for 73 million customers — was separately disclosed after years of the data circulating on the dark web.
Attack Vector Detail
The July 2024 breach was part of the broader Snowflake campaign in which attackers used credentials stolen through information-stealing malware to access dozens of major companies' Snowflake cloud data warehouse environments. AT&T's Snowflake environment contained call and text metadata records — who called whom, when, and for how long — for nearly all AT&T wireless customers and MVNO customers on AT&T's network for a six-month period in 2022.
The attackers accessed the data through compromised Snowflake credentials. Snowflake had not yet implemented mandatory MFA, and many customers were operating without it. The stolen credentials had been obtained through information-stealing malware that infected AT&T employee systems.
Breach Pattern Timeline
April-May 2024
AT&T detects unauthorized download of customer data from Snowflake cloud workspace. Data downloaded includes call and text records — but not message content — for 'nearly all' AT&T cellular customers from a 6-month period (May 1 - October 31, 2022) plus a separate January 2, 2023 record.
April 19, 2024
AT&T discloses a SEPARATE March 2024 dark web data leak of personal information — names, addresses, phone numbers, dates of birth, Social Security numbers — for 73 million current and former AT&T customers. Source disputed (AT&T initially denied, later acknowledged data appears authentic).
July 12, 2024
AT&T 8-K SEC filing discloses the Snowflake-based call/text records breach affecting 'nearly all wireless customers' (approximately 110 million customers). This is the larger of the two 2024 incidents.
July 12, 2024
AT&T confirms ransom payment of approximately $370,000 in Bitcoin to threat actors who claimed to have deleted the data. Payment widely reported as ineffective at preventing future leaks.
July-August 2024
Snowflake breach attribution emerges: the AT&T data was accessed via compromised Snowflake credentials of a third-party contractor. Other Snowflake customers — Ticketmaster, Santander Bank, Advance Auto Parts, Neiman Marcus, ~165 organizations total — also affected by same threat actor (UNC5537).
September 2024
Multiple class action lawsuits consolidated against AT&T. Investigations by FCC, FTC, and state attorneys general continue.
November 2024
FBI arrests Connor Riley Moucka (Canadian) and John Erin Binns (American) — alleged UNC5537 operatives — for the Snowflake-customer breach campaign. Both subsequently extradited and prosecuted in U.S.
2025-2026
Class action consolidation continues in U.S. federal courts. AT&T's two-2024-incidents pattern becomes case study for cumulative breach exposure and the limits of ransom payment as containment strategy.
Total impact: Two 2024 incidents combined: ~110M wireless customers' call/text metadata + 73M customers' PII (including SSNs), $370K ransom paid (ineffective), foundational case for Snowflake-customer breach campaign and cumulative breach exposure assessment.
Executive Lessons
The AT&T breach established that all historical call record data retained by telecommunications providers represents a durable liability — data that was collected years before the breach can create privacy harm for individuals who had long since changed their communication patterns. It also reinforced that telecommunications infrastructure data, even without call content, enables significant privacy inference: who called whom, how often, and for how long reveals relationships and patterns that individuals have a reasonable expectation of privacy in.
Related Reading
Private Equity Implications
For PE portfolio companies using Snowflake or other cloud data warehouses, the AT&T breach established that data warehouse MFA enforcement is non-negotiable. Any Snowflake environment without MFA is one compromised credential away from complete data exposure.