AT&T reportedly paid hackers over $370,000 to delete sensitive data stolen in a breach the telecom giant disclosed on July 12 that compromised call records of tens of millions of its customers.
The hacker, a Shinyhunters affiliate, had stolen the data exploiting unsecured Snowflake cloud storage accounts and has now disclosed AT&T paid them a ransom in May.
[ Related: AT&T’s massive breach of metadata is a criminal treasure trove — as spy agencies know ]
“A security researcher who assisted with the deal says he believes the only copy of the complete dataset of call and text records of ‘nearly all’ AT&T customers has been wiped – but some risks may remain,” a Wired report said.
The hacker provided a video, as proof, that showed them deleting the said data in exchange for the ransom received. AT&T did not respond to queries until the publishing of this article.
Ransom paid through Bitcoins
The hacker disclosed the address for the cryptocurrency wallet that sent the amount in the form of Bitcoins. The payment occurred on May 17 wherein AT&T reportedly paid 5.7 Bitcoins to the hacker, which roughly amounts to $374000.
TRM Labs, a blockchain intelligence and security firm, has confirmed the transaction, and the firm’s head of global investigations, Chris Janczewski, told media channels that the money was laundered through several wallets but the controller of these wallets could not be traced.
According to reports, the hacker initially demanded $1 million but eventually settled for almost a third of that amount.
It is now believed that it was, in fact, an American hacker living in Turkey, John Erin Binns, who had stolen the data. As Binns was arrested in an unrelated breach in May 2024, the Shinyhunters hacker, who was in possession of the only copy of the data, received the ransom.
Compromised call and text records
AT&T disclosed the breach in an SEC filing and said no actual content of any of the calls or texts had been compromised.
“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information,” the company said. “Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network.”
Despite AT&T’s reassurances, the stolen call data records (CDR) may still pose major risks to customers. Apart from threats like identity theft, social engineering, financial fraud, and phishing, compromised CDRs have been shown to be invaluable in criminal cases and national security as the data may show a connection between a victim and a perpetrator.
“There’s no business too big or security environment too advanced for threat actors to target,” said Dan Schiappa, Chief Product and Services Officer, Arctic Wolf. “Attacks on mega-corporations like AT&T and Ticketmaster provide attackers with the opportunity to command a large ransom sum with the stolen data, whether they sell it on the dark web or to American adversaries.”
