AT&T paid $370,000 to delete stolen customer data

AT&T paid $370,000 to delete stolen customer data is profiled by BTW Media because published evidence links it to internet infrastructure, governance, operational dependencies, or market visibility.

• AT&T faced criticism for reportedly paying a $370,000 ransom in Bitcoin to the ShinyHunters hacker group to delete stolen customer data, following negotiations mediated by an intermediary named Reddington, who also arranged similar deals for other victims.
• Prior to AT&T, attacks on Ticketmaster and Santander Bank, linked to compromised Snowflake credentials, revealed a widespread cyber assault involving over 160 companies targeted by an automated script.

OUR TAKE
The AT&T ransom payment to ShinyHunters highlights the escalating cyber threats and the ambiguous legal territory for US companies. With potential legal ramifications and the proposed Ransomware Act, businesses face challenging decisions balancing data recovery and integrity against fuelling the ransomware economy. Robust cybersecurity and clear legal guidance are essential.
–Vicky Wu, BTW reporter

What happened

AT&T has recently become embroiled in controversy over allegations that it paid a significant ransom to a hacker to destroy customer data illicitly seized during a series of cyberattacks this year. The hacker, part of the notorious ShinyHunters group, reportedly demonstrated data deletion to AT&T via a video after receiving a reduced ransom of approximately $370,000 in Bitcoin, negotiated down from the initial $1 million demand.

The negotiations were mediated by an individual known as Reddington, acting on behalf of ShinyHunters. While Reddington assured that the primary data cache was eradicated post-payment, he conceded that some data fragments could remain undiscovered. Furthermore, he admitted to arranging comparable ransom deals for other companies victimised by ShinyHunters.

Prior to AT&T’s breach disclosure, Ticketmaster and Santander Bank were also targeted, with the attacks linked to compromised Snowflake credentials. Following the Ticketmaster breach, it was discovered that hackers used an automated script to attack over 160 companies, indicative of a broad, systematic cyber assault.

Also read: SoftBank of Japan acquires British AI chipmaker Graphcore

Also read: GSMA promotes spread of smartphones in poor countries

Why it’s important

US-based companies, including AT&T, navigate a complex legal landscape when responding to ransom demands, despite no blanket prohibition on paying ransoms. However, severe warnings from the US Department of Treasury’s OFAC and FinCEN caution that payments to sanctioned cybercriminals could lead to prosecution, unless authorised by the government. Against this backdrop, the proposed Ransomware and Financial Stability Act of 2024 seeks to tighten regulations, aiming to prevent major corporations from paying ransoms over $100,000 without federal law enforcement approval, thereby reducing the financial incentive for ransomware attacks.

Central to these events is the notorious hacking group ShinyHunters, which emerged in 2020 and rapidly became infamous for its audacious attacks and high-profile data breaches. The group’s tactics include breaching company databases, extracting data, and either demanding ransom or selling the information on dark web marketplaces like BreachForums. Recent incidents underscore ShinyHunters’ ongoing threat: they breached a third-party provider connected to Snowflake Inc., compromising clients such as TicketMaster Enterprise and Advance Auto Parts.

These events highlight the group’s persistence and ability to cause widespread harm across various industries. The situation reflects the evolving challenges in cybersecurity and the urgent need for robust legislation and corporate strategies to combat ransomware effectively.