AT&T disclosed on Friday the 12th of July that the company's Snowflake-tenant deployment had been compromised in May (consistent with the broader UNC5537 campaign that I wrote about in June), with exposure of call-and-SMS-metadata records for approximately 110 million customers covering substantially all of AT&T's mobile customer base (AT&T 8-K filing and customer notice, July 12). The exposed data does not include the content of communications but does include call-record metadata — phone numbers called, durations, dates, and (for a subset of records) approximate cell-tower-location information that produces inference about customer location.
The metadata-as-substantive-data lesson is the part of the case that needs explicit treatment. The customer-organisation distinction between "content" data (the substance of communications, financial-records, personal-records) and "metadata" data (the operational-records about who-communicated-with-whom-when) has, in many customer-organisation data-protection programmes, been substantively asymmetric — content data has been heavily protected, metadata data has been less heavily protected. The AT&T case demonstrates that metadata data is, in the threat-model relevant to substantial fractions of the affected population (journalists with confidential sources, activists organising in difficult political contexts, individuals in sensitive personal circumstances), substantively as sensitive as content data, and arguably more sensitive in some specific cases. The customer-organisation conversations about metadata-protection-programme posture have been substantively informed by the AT&T case.
The disclosure-handling pattern. AT&T's notification went to the SEC on Friday afternoon and to customers on Friday evening, within reasonable timing-windows for the GDPR-comparable disclosure expectations that US-side state regulations have increasingly mirrored through recent years. The technical detail in the disclosure was specific about the affected-data-categories and adequate for affected-customer assessment of personal exposure. The customer-action guidance was clear. The disclosure-quality has been broadly consistent with the post-2018-disclosure-norm pattern.
For the customer-portfolio briefings. The AT&T case has produced specific conversations at customer-organisations in our portfolio that hold metadata-substantive data — the manufacturer's overseas-operations call-record processing for some business units, Northcott's operational-records that include substantial location-and-movement data, and the financial-services firm's transaction-metadata holdings. The customer-organisation programme work to bring metadata-data into comparable-protection posture with content-data is being substantively prioritised through Q3-Q4.
I will note this for the file. The longer-form analysis of metadata-as-content material is going into the regulatory-environment book that is in early outline.