AT&T reportedly paid hacker $370,000 to delete stolen customer data

AT&T reportedly paid a hacker over $370,000 to delete stolen customer data. In an unusual twist of events, the ransom may not have gone to those who actually conducted the breach.

Last Friday, AT&T revealed that an April data breach had exposed the call and text records of "nearly all" its customers, including phone numbers and the number of calls made. In its filing to the U.S. Security and Exchange Commission (SEC), AT&T stated that it has since beefed up its cybersecurity measures, and was working with law enforcement in investigating the incident.

It now seems as though that isn't the only action AT&T has taken in connection with the hack. Wired reports that AT&T paid a ransom of 5.7 bitcoin to a member of hacking group ShinyHunters in mid May, equivalent to a little over $373,000 at the time of the transaction. In exchange for this payment, the hacker reportedly erased the stolen data from the cloud server where it had been stored, as well as provided video proof that this had been done.

There's no guarantee that the millions of people impacted by the recent massive AT&T hack are completely out of the woods though, as digital data can easily be copied. The security researcher who facilitated negotiations between AT&T and the hacker told Wired they believe the only complete copy of the stolen dataset was deleted. However, incomplete fragments may still be at large. 

Who is responsible for the AT&T hack?

There's also the lingering issue regarding exactly who was responsible for the initial breach. Speaking to Wired, the individual who obtained the ransom pointed the finger at known hacker John Binns, who was arrested in Turkey earlier this year due to his alleged involvement in the 2021 T-Mobile hack. 

Binns' alleged connection to the AT&T hack has not been officially confirmed, but the company's SEC filing stated that at least one individual involved had been arrested. 404 Media further reports that Binns has been linked to the AT&T breach.

The hacker claimed that Binns distributed samples of the data to other hackers, and that they would have attempted to extort a ransom from him rather than AT&T had he not been apprehended. Having initially demanded $1 million, they eventually accepted a lesser amount and had it transferred into their nominated cryptocurrency wallet. The hacker was reportedly able to access the cloud server on which Binns stored the hacked data, and deleted it from there.

While questions remain regarding whether the hacker who obtained the ransom was directly involved in the AT&T breach, their hacker group ShinyHunters has been behind some high profile hacks as of late. ShinyHunters recently demanded an $8 million ransom after conducting an enormous Ticketmaster hack earlier this year, which it stated includes the data of around 440,000 ticket holders for Taylor Swift's Eras Tour. Though ShinyHunters claimed that Ticketmaster's parent company Live Nation initially offered to pay $1 million in ransom, the company has denied offering the hackers any money at all.

The Ticketmaster and AT&T hacks have both been linked to a breach of third-party cloud storage provider Snowflake, of which the companies were clients. 

Even so, it seems as though AT&T has been having a tough time keeping its data secure even without Snowflake's help. An unrelated leak in March exposed data belonging to approximately 73 million current and former AT&T customers, including Social Security numbers and encrypted passwords.