What keeps CISOs up at night? These security leaders are stretched thin, with competing and ever-escalating priorities — so the answer may change depending on the day and who you're talking to. But, in recent weeks, a spate of massive data breaches connected with Snowflake has become deeply troubling to CISOs and their peers. The latest and most widespread breach in the Snowflake saga is AT&T, whose data breach reported today has impacted virtually all of its 110 million wireless customers and the extended network of contacts who interacted with those AT&T customers.
Initial reports tie the AT&T breach to a lack of multi-factor authentication applied to Snowflake accounts — which made the massive volume of AT&T customer data stored and processed in Snowflake more vulnerable to bad actors. Here are some important things to know about the breach and what it means for enterprise security leaders.
AT&T and Snowflake Breach Leaves Customers Out in the Cold
The Snowflake breach didn't just leak enterprise data. It leaked customers' private call records. According to TechCrunch, “AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages — such as who contacted who by phone or text — during a six-month period between May 1, 2022 and October 31, 2022.” TechCrunch also reports a smaller subset of text and call data from January 2, 2023, was leaked.
This represents a massive invasion of privacy, at a mind-boggling scale. The consequences will likely continue to reveal themselves over weeks, months, and years, and it’s AT&T customers who will be enduring the brunt of the consequences.
What This Breach Means for CISOs and Security Leaders
It goes without saying that breaches of this scale and severity deal a significant blow to the brand. AT&T will undoubtedly lose customers and value in the coming weeks as a result of this incident.
Many security leaders will shake their heads at the lack of basic security hygiene practices like multi-factor authentication for such a highly sensitive dataset stored and processed in third-party vendor software. Wise security leaders will use this incident as a call to action to re-evaluate their vendor supply chains for potential vulnerabilities and make changes accordingly.
Those changes may include advocating for more budget and resources where needed It's a well-known fact that security teams often don't get the investments that they need to be successful. An overworked, overwhelmed team is more likely to experience mistakes like this one — and as we've seen time and time again, breaches can cost billions in lost revenue and brand equity.
An ounce of prevention is worth a pound of cure: Make the case for your team so that you, your peers, and your customers can be successful.
Enterprise Data Stewards Need Immaculate Attention to Detail
There’s no doubt that security leaders today are grappling with mountains of competing priorities, software agreements, integrations, and vendor relationships to manage. They are stretched thin. With precedents like the Uber CSO being personally sentenced to 3 years of probation and a $50,000 fine for covering up a breach, CISOs, CSOs, and other security leaders have a lot on the line, both personally and professionally.
Yet, the cyber landscape continues to move at a lightning-fast pace, and a failure to keep up with an expanding sprawl of third-party vendors and customer data can be catastrophic, especially when those vendors are entrusted with sensitive information.
When you look at global enterprises like AT&T, and the scale at which they operate, it’s easy to see how a small detail like overlooking multi-factor authentication in one of hundreds of business apps might get overlooked. But this detail was a monumentally important one, especially given that AT&T trusted Snowflake to house vast volumes of sensitive customer data and PII.
In a sea of priorities that hit an enterprise security team’s desk, someone on the team should have recognized the lack of MFA as an issue. But, there is shared responsibility here, in that Snowflake did not require multi-factor authentication on accounts before this round of breaches came to light in early 2024.
Third-Party Vendors Make or Break Your Cybersecurity Posture
Yes, AT&T should have proceeded with greater caution in making sure that massive customer databases containing PII would be properly protected before handing them off to a third-party vendor. But, Snowflake is a highly sophisticated analytics software company. Their customer base includes Cisco, Comcast, MasterCard, Adobe, and the New York Stock Exchange, to name a few. Snowflake is no stranger to managing enterprise-scale datasets containing sensitive information, so it’s surprising that they did not require and enforce baseline security practices like MFA when they knew that customers like AT&T were storing sensitive customer PII in Snowflake's cloud.
Many enterprises require tools like Snowflake, Databricks, or Google BigQuery to extract insights from huge volumes of data. These apps are practically essential for any innovative enterprise. In AT&T’s Snowflake Case Study, AT&T’s Chief Data Officer said, “The Snowflake Data Cloud has given us the power to harness and integrate data to create insights. With data at our fingertips, we are growing revenue, becoming more cost effective and, most importantly, improving the customer experience.”
AT&T was using Snowflake to derive value from data and build better customer experiences. With 110 million customers, that's an ocean of data that AT&T needs to learn, grow, and improve from. Gaining value from data is essential for any enterprise, but that value should never come at the expense of customer privacy and security.
Ultimately, CISOs should evaluate whether their supply-chain partners have earned their trust, whether that's with demonstrable data security like FedRAMP-authorized practices, required security measures for accounts, or simply delivering on exactly what they say they're going to do. It also helps to talk with your cybersecurity peers and evaluate trusted third-party recommendations like Gartner Peer Reviews to understand their experiences with the vendors you're considering.
Questions to Ask Yourself After the AT&T Breach
If you learn anything from the AT&T breach, it’s that the details matter, and who you trust matters:
- Are your third-party vendors truly worthy of your trust? Have they earned the right to access and protect customer data?
- Are you over-trusting your vendors or internal employees with access to sensitive information?
- How are you governing access to sensitive data (like customer PII, PHI, CUI, or CJI)?
- Are you providing secure ways for your teams to share information, collaborate, and get their jobs done without sacrificing security?
- Are you simply protecting your own perimeter, or are you looking at the full picture of how your business is sending and receiving sensitive information, internally and externally?
It’s All About the Data: Choose Your Partners Wisely
Breaches like these highlight how everything comes down to the data at the end of the day. It’s the data itself that cyber attackers are after. It’s the data that makes their work profitable. It's data that drives insight and growth for any business. And it’s the exposure of data that puts customers at risk when their private information is leaked or breached.
Your data is everything. For organizations of any size — whether it's a global telecom company like AT&T or a regional bank or small healthcare practice — your value and your customer relationships are deeply tied to how you choose to protect that data.
If you’d like to learn how Virtru can help your organization take control of sensitive information that needs to be shared with external partners, contact our team for a demo. We’d love to share how we can help you close some of the data gaps in your organization .
