AT&T faced a major security breach that compromised the call records of millions of its customers. In response to this breach, reports have emerged indicating that AT&T paid approximately $370,000 to the hacker responsible for the breach in exchange for the deletion of the stolen data.
The payment was made in cryptocurrency in May, with the hacker providing a video as proof of the data deletion. Wired conducted an investigation and confirmed that the transaction took place. The hacker, believed to be part of the ShinyHunters group, initially demanded $1 million but settled for a lower amount. The payment was facilitated by a security researcher known as Reddington, who acted as an intermediary between AT&T and the hacker.
Reddington, who received a fee for his role in the negotiations, expressed confidence in the video showing the complete erasure of the stolen dataset. The hacker used the funds to launder the cryptocurrency through various exchanges and wallets.
The data breach at AT&T first came to light when Reddington was contacted by a hacker named John Erin Binns, who claimed to have obtained AT&T call logs and shared samples with Reddington to verify their authenticity. Binns revealed that he had accessed call and texting logs of millions of AT&T customers through a poorly secured cloud storage account hosted by Snowflake. This information was reported to Mandiant, a security firm, which then notified AT&T.
The stolen data included call and text messaging metadata, but not the content of the communications or the names of the phone owners. The dataset encompassed telephone numbers of nearly all AT&T cellular customers and those who communicated with them during specific periods. Additionally, the dataset included dates, durations of calls, and cell site ID numbers that could reveal general locations of phone users.
The ShinyHunters group has been linked to multiple data thefts from unsecured Snowflake cloud storage accounts. AT&T is one of over 150 companies affected by these hacks, including Ticketmaster, Santander, LendingTree, and Advance Auto Parts. The lack of multi-factor authentication on these accounts allowed hackers to access them with stolen credentials and extract data.
AT&T disclosed the breach to the Securities and Exchange Commission (SEC) in an official filing, revealing that the company learned of the breach in April but was granted exemptions by the Department of Justice to delay notification due to potential concerns regarding national security or public safety. The FBI reviewed the data to assess potential harm shortly after AT&T discovered the breach.
The hacker believed to be behind the AT&T breach, John Erin Binns, was arrested in Turkey for an unrelated data theft from T-Mobile in 2021. Despite facing legal issues, Binns continued his hacking activities, including the AT&T breach.
Although AT&T made the payment and received proof of data deletion, there is concern that other copies of the stolen data may exist. The hacker claimed to have shared samples with others, raising the possibility of further risks to AT&T customers. The lack of an official response from AT&T officials adds to the uncertainty surrounding the situation.
AT&T’s decision to pay the hacker highlights the challenging decisions that companies face when dealing with data breaches and cybersecurity threats. Despite efforts to mitigate the damage, the incident underscores the ongoing risks and vulnerabilities in the digital landscape.