AT&T reportedly paid hackers $370,000 to delete stolen customer data

AT&T reportedly paid hackers more than $370,000 to delete stolen customer data. In an unusual turn of events, the ransom may not have gone to those who actually carried out the breach.

On Friday, AT&T revealed that a data breach in April exposed “nearly all” of its customers’ call and text message records, including phone numbers and the number of calls made. AT&T said in a filing with the U.S. Securities and Exchange Commission (SEC) that it has since strengthened its cybersecurity measures and is cooperating with law enforcement investigating the incident.

It now appears that this is not the only action AT&T has taken in response to this hacking attack. According to Wired, AT&T paid a ransom of 5.7 Bitcoins to a member of the hacker group ShinyHunters in mid-May, a transaction equivalent to a little more than $373,000 at the time. In exchange for the payment, the hackers reportedly deleted the stolen data from the cloud servers where it was stored, and provided video evidence that this had been done.

However, there’s no guarantee that the millions of people affected by the recent massive AT&T hack will be completely out of trouble, as digital data can easily be copied. Security researchers who brokered the negotiations between AT&T and the hackers told Wired they believe the only complete copy of the stolen data set has been deleted. However, incomplete fragments may still be at large.

Who is responsible for the AT&T hack?

There’s also the lingering question of who was responsible for the original breach. In an interview with Wired, the person who obtained the ransom pointed the finger at well-known hacker John Binns, who was arrested in Turkey earlier this year for his alleged role in the 2021 T-Mobile hack.

Binns’ alleged ties to the AT&T hack have not been formally confirmed, but the company’s SEC filings say at least one person involved has been arrested. 404 Media further reported that Binns was involved in the AT&T data breach.

The hacker claimed that Binns distributed the data samples to other hackers and that if he had not been caught, they would have tried to extort ransom from him instead of AT&T. Initially asking for $1 million, they eventually accepted a smaller amount and transferred it to their designated cryptocurrency wallet. According to reports, hackers were able to access the cloud server where Binns stored the hacked data and delete it from there.

While there are still questions about whether the ransom-seeking hackers were directly involved in the AT&T data breach, their group, ShinyHunters, has been behind some high-profile hacking incidents recently. ShinyHunters recently demanded an $8 million ransom following a massive hack of Ticketmaster earlier this year in which hackers allegedly stole around $440,000 from Taylor Swift’s Eras Tour Ticket holder data. Although ShinyHunters claimed that Ticketmaster’s parent company Live Nation initially offered to pay a $1 million ransom, the company denied providing any funds to the hackers.

The Ticketmaster and AT&T hacks were both linked to breaches at third-party cloud storage provider Snowflake, of which both companies were customers.

Even so, AT&T appears to have trouble keeping its data safe even without Snowflake’s help. An unrelated breach in March exposed data on approximately 73 million current and former AT&T customers, including Social Security numbers and encryption passwords.