AT&T reportedly paid a hacker approximately $370,000 to delete stolen customer data. The payment was made to ensure the erasure of call and text records that had been illicitly obtained during a series of cyber intrusions earlier this year.
The hacker, associated with the notorious ShinyHunters hacking group, initially demanded $1 million but settled for the lower amount after negotiations. The transaction, which took place in May, was facilitated through Bitcoin, and the deletion of the data was verified through a video demonstration provided by the hacker.
The breach occurred between April 14 and April 25, 2024, and involved unauthorized access to AT&T’s workspace on a third-party cloud platform. The compromised data includes records of customer call and text interactions from May 1 to October 31, 2022, and some records from January 2, 2023.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
The data breach exposed call and text metadata belonging to AT&T customers, including phone numbers, communication dates, and call durations.
It’s important to note that the breach did not reveal the content of the calls or messages, and it didn’t include subscriber names. However, certain records contained cell site IDs, which might potentially disclose user locations.
Negotiations and Payment
A security researcher using the pseudonym Reddington mediated the negotiations between AT&T and the hacker. Reddington, who also received compensation from AT&T for his role, expressed confidence that the sole comprehensive version of the data was eliminated. However, he cautioned that fragments of the data might still exist elsewhere.
The hacker demonstrated the deletion of the stolen data from a shared cloud server, which was used by the hacker and another individual, presumably Binns. The payment was verified through blockchain tracking tools, reads the WIRED report.
Despite the payment and the apparent deletion of the data, residual risks persist for AT&T customers. Other entities may still retain unrecovered data samples, posing ongoing security threats. The FBI and other security agencies are involved in assessing the extent of the breach and its potential repercussions.
The disclosure of the breach was delayed due to potential national security implications. The Department of Justice granted AT&T exemptions to postpone public notification, allowing time for the FBI to conduct a thorough assessment.
AT&T’s decision to pay the ransom underscores the problematic choices companies face when dealing with sophisticated cyber threats.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo