When cybercriminals stole five months of customers’ call logs from AT&T, they found an indirect path to attack the telecommunications giant’s data. They found an access point through a cloud computing vendor most customers had likely never heard of.

The same is true for the big Ticketmaster breach of credit card numbers and credentials that the company confirmed in May.

As the world has become increasingly digitised, the collection of personal data out there for hackers to steal has grown. Each person leaves a digital footprint as they use devices to communicate, shop, track their fitness, listen to music or upload a document to the cloud. And we all trust the platforms we’re using to safeguard it.

With a greater collection of data comes a greater risk of it becoming compromised. And the consequences of this are vast, for both consumers and companies.

But the recent hacks of AT&T and Ticketmaster show it’s not just the brands we use that need to keep our digital identities safe, but the web of companies they rely on to make a seamless digital world possible.

It’s a cat-and-mouse game, cybersecurity expert and Georgia Tech professor Mustaque Ahamad says. The relationship between companies storing data and the hackers that want to exploit it.

Hackers are nimble and constantly adapting, finding software vulnerabilities in existing security systems. Companies build up walls to try to catch them - encrypting data, implementing access controls and requiring multiple forms of verification. But one always outsmarts the other.

“We rely on the internet and all kinds of online services. We do need to be careful and cautious. It can be breached, and it’s not your fault,” said Ahamad. “You have to learn to stay safe in the online world. You’re not going to be able to avoid it.”

All of the data collected by companies has to go somewhere. Companies often do not have the resources to build and maintain their own internal systems to warehouse data, so they will outsource the task to third-parties.

Last week, AT&T announced that hackers obtained data on the calls and text messages of essentially all its customers over a period of at least five months. AT&T said the hackers downloaded the information in April of this year from its workspace on a third-party cloud platform the communications giant later identified as Snowflake.

The data includes digital traces of voice and text communications - the cell numbers that customers called or received calls from, numbers that AT&T customers had text exchanges with and the times in which such communications were made.

The breach was the latest of several reported by large corporations since the start of the year. In May, Ticketmaster confirmed it identified unauthorised activity within a third-party cloud database and discovered a hacker offering user data for sale on the dark web. That same month, Santander Bank reported a breach of customer and employee data due to unauthorised access to a company database hosted by a third-party provider. Neither company confirmed the name of the third-party.

Around 165 organisations’ data were potentially exposed due to a threat campaign targeting Snowflake customer databases in April.

According to cybersecurity analytics firm Mandiant, a hacker used compromised credentials stolen through info-stealing malware to access a customer’s Snowflake installation. With this access, the hacker extracted data. This account did not have multi-factor authentication enabled. Around 165 organisations were potentially exposed, according to Mandiant.

Advance Auto Parts also reported a breach in July, listing Snowflake as the affected vendor in filings with regulators.

Montana-based Snowflake itself was not breached, the company said. In updates shared on Snowflake’s website, Brad Jones, the company’s chief information security officer, said Snowflake is committed to helping customers protect their accounts and data, and now requires multifactor authentication for all users in a Snowflake account.

AT&T, Ticketmaster and Advance Auto Parts did not immediately respond to requests for comment.

Several Georgia-based companies and institutions also suffered breaches in the past. In April, the University System of Georgia confirmed its user data was compromised as part of a large cyberattack targeting file transfer software used by private and public-sector organisations worldwide to store information. Data stored by a former contractor with the Georgia Department of Community Health, Maximus Health Services, was also compromised by the same cyberattack.

Not all breaches happen from hackers gaining access to third-party platforms. But these platforms are often a target because they’re information aggregators, and have a treasure trove of data stored within them. Hackers can compromise large numbers of victims at once with minimal effort.

Ahamad, the Georgia Tech professor, boils it down to simple analogy.

“We put our money in banks. And that’s why people rob banks,” he said.

Risks and costs

Breaches are a hit to companies, both financially and reputationally. According to a report from technology and research giant IBM, the global average cost of a data breach in 2023 to a company was US$4.45mil . This figure includes lost revenue from disruptions from business or system downtime, the cost of lost customers and the money spent on services to detect and investigate a breach.

Some of these costs are passed onto consumers, IBM found. About 57% of respondents in a survey of 533 companies impacted by breaches said that it led them to increase the prices of their business offerings.

Consumers face obvious risks, too, having entrusted companies to properly handle their data. Some information may seem less sensitive than others, such as the duration of a user’s calls, versus banking information, Social Security numbers or health records. But any type of information can be useful to an adversary. A hacker can learn about customers who frequently call a company, as an example, and “spoof” the company’s phone number to scam them.

Metadata tells comprehensive stories about who people are, what they are doing and what their secrets are, researcher John Scott-Railton wrote on X, formerly Twitter, after the AT&T breach. An unauthorised party now has an “NSA-level view into Americans’ lives,” he said.

The risk escalates when the data is stacked.

“One of the things that I was thinking about, especially now with AI capabilities, is being able to take information and build at scale, and create better attack profiles on people,” said Scott Kannry, the co-founder and CEO of cyber management software company Axio.

Many hackers are motivated by financial gain. In some cases, they will use online marketplaces through the dark web to sell stolen data to other parties. The dark web is a part of the internet that is only accessible through special software or authorisation. It is intentionally hidden, and protects users from surveillance and tracking, which has made it a hub for marketplaces where stolen material is often offered for sale.

Others can use the stolen data directly to make unauthorised purchases or commit identity theft. In the most recent AT&T data breach, one member of the hacking team accepted more than US$300,000 in ransom from the company to delete the data, technology magazine Wired reported.

Some experts, like Scott-Railton, believe data breaches will continue to happen until companies face financial penalties for them. The Securities and Exchange Commission adopted new rules this time last year requiring public companies to disclose cybersecurity incidents within four business days of determining materiality. An incident is material if it significantly impacts a company’s operations, reputation or financials.

In the meantime, companies and consumers can take precautions to protect themselves. One of the longest known risks to humanity is fire, Kannry said. And the world hasn’t solved it yet.

Companies can make upfront investments in detection technology and enhance their security posture. In the case of some of the breaches tied to Snowflake, cybersecurity firm Mandiant found compromised accounts did not have multifactor authentication enabled. A hacker only needed a valid username and password to gain access to customer accounts.

“From the corporate or enterprise perspective, the attitude has to be, and it’s so cliché at this point, ‘If an event hasn’t happened to us yet, it likely will in the future,’” Kannry said.

Consumers can practice what Kannry calls good cyber hygiene: using password managers, turning on multifactor authentication and monitor their financial statements for suspicious activity.

“There are risks and bad things that can happen, whether they’re accidental or malicious. In the modern climate, is it anywhere close to possible that this type of thing can be flat-out solved? The answer is absolutely not. Events will continue to happen. So if a building does burn down, you rebuild it, restart operations and life goes on,” Kannry said.

 - TNS