Cybersecurity
AT&T Reportedly Paid $370,000 to Hacker to Delete Stolen Customer Data
In a startling revelation, telecommunications giant AT&T has reportedly paid a hacker $370,000 to delete stolen customer data, following a significant security breach that compromised the phone records of nearly all its customers. The breach, which came to light in April, involved the theft of call and text metadata, excluding the actual content of communications or personally identifiable information such as Social Security numbers and dates of birth.
The hacker, affiliated with the notorious ShinyHunters group, initially demanded $1 million but eventually settled for the lower amount after negotiations facilitated by a security researcher known by the pseudonym Reddington. The payment was made in Bitcoin in May, and the hacker provided a video demonstration to prove the deletion of the stolen data. This transaction was verified through blockchain tracking tools.
The compromised data included phone numbers, communication dates, call durations, and cell site IDs, which could potentially reveal the locations of users. The breach affected both mobile and landline users, with records spanning from May 1, 2022, to October 31, 2022, and a smaller set from January 2, 2023. The data was stored in unprotected Snowflake cloud storage accounts, a vulnerability that has been exploited in multiple breaches targeting various organizations.
Reddington, who acted as a mediator in the negotiations, expressed confidence that the only complete copy of the stolen dataset was deleted. However, he acknowledged the possibility that fragments of the data might still exist elsewhere. This lingering risk underscores the ongoing vulnerability of AT&T customers and others whose data might have been exposed.
The breach was part of a broader hacking spree that exploited weak security measures in Snowflake accounts. Mandiant, a cybersecurity firm engaged by Snowflake to manage the fallout, identified the cybercriminal group responsible for the attack as UNC5537, describing them as financially motivated with members in North America and Turkey. The group has been linked to other high-profile data thefts, including a previous breach affecting T-Mobile.
AT&T's decision to pay the ransom reflects the complex challenges companies face in mitigating the damage from cyberattacks. While the payment secured the deletion of the stolen data, it also highlights the precarious position organizations find themselves in when dealing with sophisticated cybercriminals. The FBI and other law enforcement agencies have been involved in assessing the breach's extent and potential repercussions, with at least one suspect detained in connection with the attack.
The disclosure of the breach was delayed due to potential national security implications, as AT&T was granted an exemption by the Department of Justice to postpone public notification. This delay allowed for a thorough assessment of the breach's impact and the implementation of measures to protect affected customers.
AT&T has yet to make a public comment about the ransom payment, but it has confirmed that it will notify current and former customers if their information was involved. The company emphasized that the stolen data did not include sensitive personal information, such as Social Security numbers or dates of birth. However, the metadata exposed in the breach still poses significant privacy concerns.
This incident marks the second major security breach reported by AT&T this year. In March, a separate breach affected 7.6 million current customers and 65.4 million former ones, exposing personal information such as names and Social Security numbers. These repeated breaches underscore the urgent need for robust cybersecurity measures to protect customer data in an increasingly digital world.
As the investigation continues, the evolving narrative surrounding the AT&T breach highlights the broader context of cybersecurity threats and the legal and ethical dilemmas companies face in responding to such incidents. The involvement of high-profile hacking groups, the use of cryptocurrency for ransom payments, and the delayed disclosure due to national security concerns all contribute to a complex and multifaceted story that underscores the critical importance of cybersecurity in the modern era.