AT&T Pays $370,000 Ransom to Prevent Stolen Data Leak

In a recent revelation, telecommunications giant AT&T disclosed a significant data breach, attributing it to a hacker residing in Turkey. Reports confirm that AT&T paid a ransom of $370,000 to safeguard stolen data from being exposed to the public. Wired Magazine detailed the incident, underscoring the gravity of the breach and the subsequent negotiations that ensued.

The breach, which affected approximately 110 million individuals, compromised phone call and text message records. This sensitive information was stored on a database hosted by Snowflake, a third-party cloud platform utilized by AT&T. The breach spanned periods between May 1 and October 31, 2022, and included January 2, 2023, capturing interactions of both AT&T wireless customers and users of mobile virtual network operators (MVNO) on AT&T’s network.

AT&T’s response was swift upon discovering the breach in mid-April 2024. The company immediately engaged external cybersecurity experts and notified law enforcement, including the US Department of Justice. Legal protocols allowed AT&T to delay public disclosure until May 9 and June 5, 2024, to facilitate thorough investigation and response coordination.

Despite the severity of the breach, AT&T assured customers that the stolen data did not compromise sensitive personal information such as Social Security numbers or birth dates. However, the exposed metadata, including interaction records and cell site identification numbers, could potentially be exploited by malicious actors to infer customer identities through publicly available tools.

The resolution of this cybersecurity incident took a controversial turn when AT&T opted to negotiate with the hacker responsible. Initially demanding $1 million, the hacker agreed to accept $370,000 in Bitcoin to delete the stolen data and provide evidence of its destruction. Wired verified the transaction through blockchain tracking tools, confirming the hacker’s compliance with the agreement.

A security researcher, known as Reddington, acted as an intermediary in facilitating the ransom payment and ensuring the deletion of the compromised data. Reddington clarified that AT&T’s decision to pay the ransom was strategic, aiming to mitigate further risks and protect customer privacy.

The hacker implicated in the breach, identified as John Erin Binns, has a history of involvement in cyberattacks targeting telecommunications companies. Binns, allegedly associated with the ShinyHunters hacking group, was previously arrested in Turkey for a 2021 data breach targeting T-Mobile. Despite Binns’ arrest, a member of the ShinyHunters group received the ransom payment on his behalf.

As investigations continue into the scope and impact of the breach, AT&T remains committed to enhancing its cybersecurity measures and safeguarding customer data. The incident underscores the persistent threats posed by cybercriminals and the critical importance of robust cybersecurity defenses in safeguarding sensitive information.

For now, AT&T customers and stakeholders await further developments as the company continues to address the aftermath of this significant data breach.

Sources:

• Wired
• Techcrunch
• AT&T SEC Form 8-K