AT&T has reportedly paid a hacker group $370,000 in bitcoin to delete customer data that was stolen earlier this year. This development highlights the growing challenges faced by corporations in dealing with cybersecurity threats and the ethical dilemmas surrounding ransom payments.
According to a report by Wired, AT&T engaged in negotiations through an intermediary named Reddington, who acted on behalf of a member of the ShinyHunters hacking group. The hackers initially demanded $1 million, but AT&T managed to negotiate the amount down to approximately $370,000, which was paid on May 17th.
The intermediary, Reddington, stated that he believed the only complete copy of the stolen data had been deleted after the ransom was paid. However, he also noted the possibility that excerpts of the data might still be circulating. Reddington admitted to negotiating with several other companies on behalf of the hackers, hinting at a broader pattern of similar breaches.
Before AT&T announced the breach, other companies such as Ticketmaster and Santander Bank were also reportedly compromised. These breaches occurred via stolen login credentials of an employee from the third-party cloud storage company Snowflake. Wired's report suggests that after the Ticketmaster attack, the hackers used a script to simultaneously hack more than 160 companies.
The payment to the hackers was confirmed through a transaction of 5.8 bitcoin, equivalent to $373,646 at the time. This transaction was tracked by Chris Janczewski, head of global investigations for crypto-tracing firm TRM Labs. Although the transaction matched the claim, there was no clear indication as to who controlled the wallets involved.
AT&T has yet to respond to the reports, which raises questions about the company's cybersecurity measures and its decision to pay the ransom. While it is not entirely illegal for U.S. companies to pay ransoms, the U.S. government strongly discourages such actions. The Department of Treasury's Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) have warned that companies making ransom payments could face prosecution if the hackers are subject to U.S. sanctions.
Moreover, proposed legislation, the Ransomware and Financial Stability Act 2024, aims to prohibit major companies from making ransom payments exceeding $100,000 without explicit authorization from a federal law enforcement agency. This legislation seeks to reduce the incentive for ransomware attacks by limiting large-scale ransom payments and ensuring regulatory oversight of such transactions.
ShinyHunters, the hacking group involved, first emerged in early 2020 and quickly gained notoriety for its aggressive tactics and high-profile data breaches. The group typically hacks company databases, steals large volumes of data, and then offers to sell the information on sites such as BreachForums if a ransom payment is not made.
Recently, ShinyHunters was behind a breach of a third-party provider that resulted in the compromise of multiple high-profile companies that are customers of Snowflake Inc. This included Ticketmaster in May and U.S. auto parts provider Advance Auto Parts on June 6th. The breaches highlight the vulnerabilities of interconnected digital ecosystems and the cascading effects of a single security lapse.
