UNC5537 downloaded AT&T call and text metadata for nearly all ~110 million AT&T wireless customers, covering May–Oct 2022 and a small subset from Jan 2023. Data included call/text metadata and cell-site location approximations but not content or SSNs. AT&T discovered the breach 19 April 2024; DOJ twice authorised disclosure delays (May 9 and June 5) citing national security concerns — unprecedented use of the SEC 8-K disclosure delay mechanism. AT&T paid ~$370,000 in Bitcoin ransom to have the data deleted. Disclosure filed with SEC 12 July 2024. Part of the broader Snowflake campaign affecting 165+ organisations.