Senators Seek Answers from AT&T, Snowflake, in Wake of Massive Data Breaches

Snowflake may have failed to follow basic cybersecurity precautions, like changing passwords and using pirated software containing malware.

Two U.S. Senators are demanding AT&T and Snowflake, a cloud-based data storage company, provide lawmakers with explanations and data on two major recent data breaches, seeking to know how they happened, why they weren’t prevented, and why it took so long for the public to be informed.

Senator Richard Blumenthal, chair of the U.S. Senate Subcommittee on Privacy, Technology and the Law, and Senator Josh Hawley, the subcommittee’s ranking member, sent a bipartisan letter to both companies on July 16, following a rash of recent data breach announcements that have affected hundreds of millions of consumers worldwide.

Earlier this month, AT&T announced a data breach affecting the phone records for nearly all of its 110 million cellular customers. AT&T indicates that the data included phone call and text message records from May 1, 2022, to October 31, 2022, and again on January 2, 2023. However, the company waited more than two years to warn its customers their private information was at risk.

The announcement followed another AT&T data breach announced earlier this year involving the personal identifying information (PII) of more than 70 million customers, which the company also waited years to announce.

At least some of the problems have been blamed on Snowflake, Inc., a cloud-based server company that hosts and stores data from a number of companies. Snowflake stored not only the AT&T data that was hacked, but also was the storage company for Live Nation, which was the target of a TicketMaster data breach affecting at least half a billion customers.

A growing number of affected customers are now filing AT&T data breach lawsuits, which seek financial compensation for customers, alleging that their information was released due to a massive failure by AT&T to properly and adequately secure customer names, Social Security number and other data. While Snowflake has reportedly denied that the problems are due to cybersecurity failures on its end, it faces increasing scrutiny and has been named as a defendant in some data breach lawsuits.

In their letters to the CEOs of AT&T (PDF) and Snowflake (PDF), the senators request the companies answer questions about their efforts to secure private consumer data, and about their transparency while doing so. The letters indicate that basic security measures may have prevented the hacks.

“Disturbingly, the AT&T breach appears to have been easily preventable,” the letter states, indicating that information suggests hackers used malware, some of it bundled with pirated software, to access company passwords. “Compounding this basic cybersecurity failure, the hacked accounts had often kept the same passwords for several years, failed to implement firewall access, and failed to turn on multifactor authentication – additional basic cybersecurity failures that seemingly reflect gross negligence, particularly in light of the sensitivity of the data stolen in many of the breaches.”

The letter provides the two companies with a list of questions the senators want answered, including more details on how both AT&T data breaches are believed to have occurred. They also wish to know more about the data stolen, why AT&T delayed warning customers, and how Snowflake failed to detect the breaches and why it failed to put basic cybersecurity measures in place

AT&T Data Breach Lawsuits

Given common questions of fact and law raised in a growing number of complaints, the U.S. Judicial Panel on Multidistrict Litigation (JPML) established an AT&T data breach multidistrict litigation (MDL) last month, consolidating all complaints filed through the federal district court system in the U.S. District Court for the Northern District of Texas under Judge Ada E, Brown, who oversee coordinated pretrial proceedings.

So far, the claims included in the MDL only involve the first AT&T data breach announced earlier this year. It is unclear whether the class action lawsuit over this different data breach will be folded into the other consolidated claims.

However, now that an AT&T data breach MDL has been established in anticipation of the number of AT&T data breach lawsuit signups to come, it is expected that Judge Brown will establish a coordinated schedule for discovery to uncover how the customer information was released, steps that could have been taken to prevent the breach and how long AT&T knew about the problem.

If the parties fail to negotiate AT&T data breach lawsuit payouts for individual customers, it is likely that the Court will select a small group of representative cases to serve as early “bellwether” trials, which typically help the parties gauge how juries may respond to certain evidence and testimony that is likely to be repeated throughout the litigation. If AT&T fails to reach data breach settlements during the MDL proceedings, each individual claim may later be remanded back to the U.S. District Court where it was originally filed for trial.