AT&T revealed that customer call and text records were illegally downloaded from a third-party cloud platform called Snowflake, raising questions about the telecom giant’s data practices and the security of sensitive user information.
Senators demand answers from AT&T: In the wake of the breach, US Senators Richard Blumenthal and Josh Hawley sent a letter to AT&T CEO John Stankey, asking why the company retained months of detailed customer communication records and uploaded them to a third-party analytics platform:
- The senators sought clarification on AT&T’s policy regarding the retention and use of such sensitive information, including specific timelines.
- AT&T’s initial disclosures to customers and the Securities and Exchange Commission did not provide a detailed explanation of how Snowflake is used by the company.
Snowflake’s AI Data Cloud platform: Snowflake’s website describes its cloud platform as a means for businesses to collaborate and share data at a large scale:
- The platform connects businesses globally, bringing data and workloads together, and includes a marketplace that simplifies the sharing, collaboration, and monetization of datasets, services, and entire data applications.
- AT&T is featured as a customer case study on Snowflake’s website, highlighting how the telecom provider lowered costs and gained faster insights by switching from internal systems to Snowflake.
AT&T’s rationale for using Snowflake: Prior to the data breach, Snowflake published a case study detailing AT&T’s decision to move data to the cloud platform:
- AT&T Chief Data Officer Andy Markus stated that Snowflake gave the company the power to harness and integrate data to create insights, grow revenue, become more cost-effective, and improve the customer experience.
- The telecom provider’s previous internal system, which included Hadoop, made it difficult to collaborate with other companies and was seen as a more ineffective operating environment.
- By moving to Snowflake, AT&T achieved its goal of democratizing data across the business and efficiently processing hundreds of petabytes of data every day.
AT&T’s response and data retention practices: In response to the senators’ questions, AT&T stated that it often uses specialized and trusted cloud service platforms for various functions, including data analysis related to its business:
- The company analyzes historical customer data for network planning, capacity utilization, and developing new services and offers.
- AT&T did not provide specifics on how long it retains data, stating that retention periods depend on the type of personal information, how long it is needed to operate the business or provide products and services, and whether it is subject to contractual or legal obligations.
Broader implications and unanswered questions: The data breach at Snowflake and the subsequent revelation of AT&T’s data practices raise important questions about the security of sensitive customer information and the responsibility of telecom providers in safeguarding this data:
- The incident highlights the potential risks associated with storing large amounts of customer data on third-party cloud platforms, even when those platforms are considered “trusted” by the companies using them.
- It remains unclear exactly how AT&T uses the data stored on Snowflake’s platform and whether customers were aware that their call and text records were being retained and analyzed in this manner.
- The breach underscores the need for greater transparency from telecom providers regarding their data practices and more stringent security measures to protect customer information from unauthorized access.
After breach, senators ask why AT&T stores call records on “AI Data Cloud”