Special Report: AT&T Reportedly Paid Hackers Nearly $400,000 to Delete Data That Could Be a Gold Mine for Malicious Actors

AT&T reportedly paid nearly $400,000 to hackers who stole the call and text messaging records of “nearly all" its customers to delete the data and is currently notifying 110 million customers of the breach, which is just the latest in a spate of data thefts from attackers compromising organizations’ unsecured Snowflake cloud accounts.

The stolen data could become a gold mine for attackers looking to construct compelling phishing attacks and other scams to target individuals or specific communities.

Here's a run-down of what we know so far:

• The stolen AT&T data is from landline and cellular accounts and spans May 1, 2022, to October 31, 2022. A smaller, undisclosed number of people also had records from January 2, 2023, stolen in the breach. AT&T learned about the breach on April 19 of this year. The hackers accessed the data between April 14 and April 25 of this year.
• The data includes some records of customers of mobile virtual network operators. These MVNOs contract with AT&T to use its network and infrastructure, including Boost, Cricket, and H2O Customers, contract with AT&T to use its network and infrastructure.
• The data does not contain the content of calls or texts nor the date and time of communications, but the attackers did make off with phone numbers and a massive amount of metadata about calls and texts, including who contacted whom, call durations, and tallies of a customer’s total calls and texts. The trove also includes some cell site identification numbers, essentially cell tower data that can be used to approximate a cellphone's location when it made or received a call or text.
• AT&T said that based on information, it understands that at least one person has been apprehended in connection with the case. Joseph Cox at 404 Media is reporting that, according to three sources, the man arrested in connection with the AT&T hack is a US citizen currently in prison in Turkey named John Binns. He was already indicted for allegedly breaking into T-Mobile in 2021 and
• AT&T reportedly paid a ransom of nearly $400,000. Wired is reporting that a hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, says that AT&T paid the ransom in May to delete the data and provided a video demonstrating proof of deletion. Both Bloomberg and Wired viewed a roughly seven-minute video to prove to AT&T that they deleted the data. Wired also reports that a security researcher who asked to be identified only by his online handle, Reddington, confirmed that a payment occurred. Bloomberg reports that the ransom was $370,000, a low dollar amount given the value of the data. Wired says it was indirectly through Reddington that AT&T learned about the data theft three months ago.
• Federal law enforcement delayed AT&T's notification on national security and public safety grounds. The payment to the hacker occurred when AT&T was working with federal law enforcement officials to respond to the breach and delayed making information about it public amid national security and public safety concerns. AT&T said the customer records were not taken from a law enforcement portal, in whole or in part. The reason why the data is a matter of national security and public safety concern is unclear. However, NextGov reports that the Departments of Homeland Security, Justice and State, Defense, Veterans Affairs, and intelligence agencies, including the NSA, have tapped AT&T for mobile projects. Moreover, AT&T manages the FirstNet program, a public safety network administered by the Commerce Department relied on by first responders at all levels of government, federal, state, local, and tribal.

If the attackers didn't delete the data they stole, a reasonable assumption according to cybersecurity researchers, the data provides a rich resource for attackers to engage in malicious activity. For some of the affected customers, the cybercriminals were also able to steal cell site identification numbers linked to phone calls and text messages. This linkage means someone could use this information to determine a customer's approximate location when they made a certain call or sent a text and perhaps infer sensitive details about their lives.

Rachel Tobac, a social engineering expert and founder of cybersecurity firm SocialProof Security, told TechCrunch, “This can reveal where someone lives, works, spends their free time, who they communicate with in secret including affairs, any crime-based communication or typical private/sensitive conversations that require secrecy.”

Jake Williams told Wired the stolen records "are a gold mine in intelligence analysis because they allow someone to understand networks—who is talking to whom and when. And threat actors have data from previous compromises to map phone numbers to identities." (Lily Hay Newman / Wired, Joseph Cox / 404 Media, Kim Zetter / Wired, Charles Gorrivan / Bloomberg, Lorenzo Franceschi-Bicchierai / TechCrunch, David DiMolfetta / NextGov)

Related: SEC, AT&T, CISA, Bloomberg, Digital Trends, AT&T, Krebs on Security, Cybernews.com,  PCMag, PhoneArena, CoinGape, SiliconANGLE, The Verge, , Boing Boing, Silicon Republic, Tech Xplore, itprotoday, Pixel Envy, AT&T,  Verge, Wired, TechCrunch, SiliconANGLE, ABC News, The Cyber Express, ZDNet, Macworld, Wall Street Journal, The Register, MacRumors, International Business Times, Gizmodo, CRN, Washington Post, SC Media, CNBC, NBC News, Engadget, CNET, Reuters, Business Insider,  USA Today, TIME, Bloomberg, SiliconRepublic, CyberScoop Tech Monitor, New York Times, Fortune, TechRepublic, Light Reading, Fierce Network, RCR Wireless News, PYMNTS.com, Neowin, TechRadar, Pocket-lint, Hackread, Total Telecom, KnowTechie, Mashable, AppleInsider, NPR, Quartz, PCMag, GovInfoSecurity.com, Wccftech, Axios, iClarified, ComputerWeekly.com, Patently Apple, Android Headlines, Cord Cutters News, The Stack, 9to5Mac, Newser, Android Authority, Stack Diary, Help Net Security, New York Daily News, Benzinga, Daring Fireball, Constellation Research, CNBC, Barron's Online, PYMNTS.com, RCR Wireless News, Infosecurity Magazine, PhoneArena, Tom's Guide, CRN, Investor's Business Daily, The Cyber Express, CPO Magazine, Dark Reading, Silicon Republic, Mashable, The Cyber Express, PC Mag, PhoneArena, CoinGape, Silicon Angle, The Verge, Digital Trends, iTechPost