AT&T recently disclosed that it paid a hacker over $370,000 to delete stolen customer data following an April data breach. This incident exposed the call and text records of nearly all AT&T customers, including phone numbers and call counts.
After the breach, AT&T reported to the U.S. Security and Exchange Commission (SEC) that it had enhanced its cybersecurity measures and was cooperating with law enforcement in the investigation.
However, it appears AT&T took additional steps to address the breach. According to Wired, AT&T paid 5.7 bitcoin (approximately $373,000 at the time) to a member of the hacking group ShinyHunters in mid-May. In return, the hacker reportedly deleted the stolen data from the cloud server and provided video proof of the deletion.
Despite this, there is no certainty that the compromised data is entirely secure, as digital information can be easily duplicated. A security researcher who facilitated the negotiations believes the only complete copy of the stolen data was deleted, but fragments might still exist.
Identifying the Culprit
The question of who was responsible for the breach remains. The hacker who received the ransom suggested known hacker John Binns, who was arrested in Turkey earlier this year for his alleged involvement in the 2021 T-Mobile hack. While Binns’ connection to the AT&T breach hasn’t been confirmed, AT&T’s SEC filing indicated that at least one person involved had been arrested.
The hacker claimed Binns had distributed data samples to other hackers. They initially demanded $1 million but eventually settled for the lower amount paid by AT&T. They managed to access the cloud server where Binns stored the data and deleted it.
Although the hacker’s direct involvement in the breach is unclear, their group, ShinyHunters, has been linked to other high-profile hacks. Recently, ShinyHunters demanded an $8 million ransom from Ticketmaster after hacking data related to around 440,000 ticket holders for Taylor Swift’s Eras Tour. Ticketmaster’s parent company, Live Nation, denied paying any ransom despite claims from ShinyHunters.
Broader Implications
Both the Ticketmaster and AT&T breaches have connections to third-party cloud storage provider Snowflake, used by both companies. Nonetheless, AT&T has faced other data security issues independent of Snowflake. In March, an unrelated leak exposed data of about 73 million current and former AT&T customers, including Social Security numbers and encrypted passwords.
These incidents highlight the ongoing challenges AT&T faces in securing its data and protecting its customers.