Dozens of federal agencies’ call data potentially exposed in AT&T breach

Dozens of federal agencies’ call and text records have been potentially exposed in an AT&T breach revealed by the company on Friday.

The telecom giant said the stolen data on nearly all AT&T customers includes both cellular and landline phone numbers, along with records of calls and text messages — detailing who contacted whom — over a six-month window from May 1, 2022, to October 31, 2022. 

The pilfered data does not include the specific contents of the calls and text messages, nor times or dates of the conversations, but it does include records of interactions between AT&T phone numbers during the six-month period, including the total number of calls and texts, and the duration of calls. At least one person has already been arrested in connection with the breach.

Some of the stolen records also fall on January 2, 2023, affecting a smaller, unspecified number of customers, the company said. Additionally, the stolen data includes call records of customers from other cell carriers that use AT&T’s network.

AT&T is one of the top suppliers of telecom and network services to the federal government. It is a prime contractor on the $50 billion Enterprise Infrastructure Solutions contract — a multiple award program from which agencies can issue and award task orders — that is administered by the General Services Administration, which did not respond to a request for comment.

Agencies that tap AT&T for telecommunications services include the Departments of Homeland Security, Justice and State, Defense, Veterans Affairs and agencies in the intelligence community.

The company in 2018 secured a hefty classified contract with the National Security Agency. A spokesperson for the Defense Information Systems Agency, which oversees IT and communications infrastructure for the DOD, did not immediately respond to a request for comment.

“CISA is aware of the cyber incident reported today and is working with AT&T and USG partners to assess impact,” a Cybersecurity and Infrastructure Security Agency spokesperson told Nextgov/FCW, acknowledging the incident has a possible impact on federal clients. “As always, CISA urges all organizations to enforce stringent security measures, including multifactor authentication. We will continue to monitor and provide guidance or assistance, as needed.” 

The Federal Communications Commission said on the X social media platform it’s conducting an “ongoing investigation” into the breach and is coordinating with law enforcement partners. 

AT&T notably manages the FirstNet program, a public safety network relied on by first responders at all levels of government – federal, state, local and tribal. It’s administered by the Commerce Department, which deferred to FirstNet when Nextgov/FCW asked for comment.

“The FirstNet Authority was made aware of an incident where AT&T customer data was illegally downloaded from its workspace on a third-party cloud platform,” a program spokesperson said. “AT&T continues to work with law enforcement, which the company says has led to an apprehension. The FirstNet Authority takes all aspects of network security seriously. We are working closely with AT&T to address any concerns from FirstNet users.”

"The data downloaded covers AT&T records of calls and texts from telephone numbers that interacted with the AT&T commercial network. The majority of FirstNet’s subscribers as of the end of 2022 are not included in the compromised data," an AT&T spokesperson told Nextgov/FCW.

Agencies affiliated with FirstNet are directed to check their account to see if they were impacted in the breach, a company notice said.

A CISA employee that uses FirstNet on their workplace device, who spoke on the condition of anonymity because they were not authorized to share their views publicly, said AT&T moved quickly to communicate with other law enforcement officials, including in the FBI.

“There is a process for these things, and the sooner the right agencies are able to support, react and respond means sooner recovery and an analysis of what the impact may be,” the employee told Nextgov/FCW.

The call logs were first stolen in April, but the company — which is publicly traded and required to adhere to strict disclosure requirements set by the Securities and Exchange Commission — obtained a national security exemption to delay the breach notification, it said in its filing of the incident. The data exfiltration was connected to an breach in Snowflake, a data warehousing provider, the company confirmed to several media outlets.

While only phone numbers were obtained, they can be easily used to build out profiles on government staffers, said Jon Taylor, VP of Security Engineering at Fortress Information Security, adding that attempted cyberattacks on federal employees should be expected to increase.

“Nobody’s social security number was gone, but the abject look for fraud is really where it’s at, especially if government agencies are involved here,” he said. 

Editor's note: This article has been updated to include a comment from AT&T.