AT&T admitted on Friday that a significant security breach had compromised the call records of tens of millions of its customers. Following this revelation, new reports have surfaced that the telecom giant paid around $370,000 to the hacker responsible for the AT&T data breach to delete all the stolen data.
The payment was made in cryptocurrency in May, and as part of the agreement, the hacker provided a video showing the data being deleted, according to Wired.
AT&T Data Breach: Negotiations and Payment Details
Wired conducted its own investigation and confirmed that the payment transaction did take place. The hacker, believed to be part of the notorious ShinyHunters group, initially demanded $1 million but eventually settled for around a third of that amount. The payment was facilitated through a security researcher known only as Reddington, who acted as an intermediary between AT&T and the hacker. Reddington also received a fee for his role in the negotiations.
Reddington shared the deletion video with Wired, expressing confidence that it showed the complete erasure of the stolen dataset. The video was provided to AT&T as proof of deletion. The hacker used the funds from AT&T to launder the cryptocurrency through several exchanges and wallets.
Background of AT&T Data Breach
The data breach at AT&T first came to light in mid-April when Reddington was contacted by an American hacker living in Turkey, believed to be John Erin Binns. Binns claimed to have obtained AT&T call logs and shared samples with Reddington, who verified their authenticity. Binns indicated that he had also accessed call and texting logs of millions of other AT&T customers through a poorly secured cloud storage account hosted by Snowflake. Reddington reported the breach to the security firm Mandiant, which then notified AT&T.
AT&T revealed in a regulatory filing to the Securities and Exchange Commission (SEC) that the stolen data included call and text messaging metadata, though not the content of the communications or the names of the phone owners. The stolen data encompassed telephone numbers of nearly all AT&T cellular customers and those who communicated with them between May 1, 2022, and October 31, 2022, as well as on January 2, 2023. The dataset also included dates and durations of calls and, for some records, cell site ID numbers that can reveal general locations of phone users.
The ShinyHunters group has been linked to a series of data thefts from unsecured Snowflake cloud storage accounts. AT&T is one of more than 150 companies affected by this hacking spree, which included victims like Ticketmaster, Santander, LendingTree, and Advance Auto Parts. The hackers exploited the lack of multi-factor authentication on these accounts, accessing them with stolen credentials and siphoning off data.
In its SEC filing, AT&T disclosed that it first learned of the breach in April but was granted exemptions by the Department of Justice to delay notification due to potential national security or public safety concerns. The FBI was informed shortly after AT&T discovered the hack and reviewed the data to assess the potential harm.
John Erin Binns, the hacker believed to be behind the AT&T breach, was arrested in Turkey in May for an unrelated data theft from T-Mobile in 2021. Binns has a history of legal issues and has accused U.S. authorities of various conspiracies against him. In 2022, Binns was indicted on 12 counts related to the T-Mobile hack, which involved the theft and sale of sensitive information on over 40 million people. Despite his legal troubles, Binns allegedly continued his hacking activities, including the AT&T breach.
Future Risks and Precautions
Despite the payment and deletion of the stolen data, some AT&T customers may still be at risk if other copies of the data exist. The hacker who allegedly received the payment claims that Binns had shared samples of the data with others, though it remains unclear how many people received these excerpts and what they did with them.
The Cyber Express Team has reached out to AT&T officials for the comment, however, as of writing this news report no official response was received.
AT&T’s decision to pay the hacker highlights the complex and often difficult choices companies face when dealing with data breaches.