AT&T hack: Carrier paid ransom for data; delayed public disclosure at request of FBI

4 months ago 59
AT&T hack | Conceptual image of Bitcoin

More details are coming to light about the AT&T hack, which saw the personal data of around 110M customers compromised – including records of who they called and texted.

It’s reported that the carrier made a Bitcoin ransom payment in return for the hacker deleting the data, and that public disclosure of the security breach was delayed for two months in response to a request from the FBI

The massive AT&T hack

The carrier disclosed the hack last week.

A massive AT&T data breach has seen hackers able to steal the personal data of almost every customer the company has – a total of some 110 million Americans. In an incredible security fail, the stolen data includes not only customer phone numbers, but also records of who contacted whom – a potential privacy minefield.

The carrier said the data was obtained from a third-party cloud platform, and this is now believed to be Snowflake – where data from other companies was also obtained. This includes obtaining the personal data of 560M TicketMaster customers.

Carrier paid a ransom

Wired provides evidence that AT&T paid a ransom to the hacker in return for them deleting the data. The hacker originally demanded $1M in Bitcoin, and the amount finally paid was the equivalent of $373k.

The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it.

Both Wired itself and crypto-tracing firm TRM Labs were able to independently confirm transactions matching the hacker’s claim. Additionally, a security researcher who acted as a go-between also confirmed the payment, and provided proof.

AT&T delayed disclosure at FBI request

Normally, the law requires companies to report data breaches to the Securities & Exchange Commission (SEC) within four days of discovery. This requirement is intended to protect shareholders, rather than customers.

However, in this case CNN reports that AT&T contacted the FBI first, and the agency asked the carrier to delay public disclosure, granting it an exemption from the SEC requirement.

The company said the US Department of Justice Department determined in May and in June that a delay in public disclosure was warranted. The FBI said AT&T reached out shortly after learning about the hack, but the agency wanted to review the data for potential national security or public safety risks.

“In assessing the nature of the breach, all parties discussed a potential delay to public reporting… due to potential risks to national security and/or public safety,” the FBI said in a statement.

This appears to be the first cyber incident in which the Justice Department has asked a company to delay filing a disclosure with the SEC because of potential national security or public safety concerns.

The FBI made at least one arrest using the information provided.

Image: Michael Förtsch on Unsplash

FTC: We use income earning auto affiliate links. More.

Read Entire Article