AT&T Breach Incident Score: Analysis & Impact (ATT4392343111325)

In this Rankiteo incident briefing, we review the AT&T breach identified under incident ID ATT4392343111325.

The analysis begins with a detailed overview of AT&T's information like the linkedin page: https://www.linkedin.com/company/att, the number of followers: 1591781, the industry type: Telecommunications and the number of employees: 177538 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 185 and after the incident was 122 with a difference of -63 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on AT&T and their customers.

On 01 August 2025, AT&T disclosed Data Breach issues under the banner "AT&T Data Breach Settlement (2024)".

AT&T agreed to a $177 million settlement for two major data breaches in 2024 (March and July), exposing millions of customers' sensitive data, including Social Security numbers, birthdates, account details, phone numbers, and call logs.

The disruption is felt across the environment, and exposing Social Security numbers, Birthdates and Names, with nearly Millions records at risk, plus an estimated financial loss of $177 million (settlement amount).

In response, teams activated the incident response plan, while recovery efforts such as Settlement payouts to victims continue, and stakeholders are being briefed through Public disclosure, official settlement website, customer notifications.

The case underscores how Settled (awaiting court approval for payouts), with advisories going out to stakeholders covering Customers advised to file claims before November 18, 2025.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating account passcodes exposed in breach (March 2024). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating social Security numbers, birthdates, addresses, email IDs, phone numbers, billing account numbers compromised and Data from Network Shared Drive (T1039) with moderate to high confidence (85%), supported by evidence indicating call logs, interaction counts, call frequencies, cell site IDs exposed (July 2024). Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration to Cloud Storage (T1048.003) with high confidence (90%), supported by evidence indicating data appeared on dark web (March & July 2024). Under the Impact tactic, the analysis identified Impair Defenses: Disable or Modify Cloud Firewall (T1598.003) with moderate confidence (60%), supported by evidence indicating no containment/remediation details; long-term trust erosion in cybersecurity measures, Data Destruction (T1485) with moderate confidence (50%), supported by evidence indicating no explicit destruction, but data appeared on dark web implies loss of control, and Inter-Process Communication (T1659) with moderate confidence (55%), supported by evidence indicating telecom Metadata (call logs, cell site IDs) suggests abuse of internal telecom systems. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (80%), supported by evidence indicating account passcodes exposed in March 2024 breach. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.