Additional details are coming out about the AT&T hack, which saw the personal data of approximately 11 million customers exposed, including logs of who the customers called and texted.
Wired reports that the carrier did pay a ransom to the hacker via Bitcoin. Upon payment, the hacker was supposed to delete the purloined data. The public disclosure of the security breach was delayed for two months upon advice from the FBI.
The carrier disclosed the hack last week.
The stolen data also includes more recent records from January 2, 2023 for a smaller, unspecified number of customers, as well as call records of customers with other cellular carriers that rely on AT&T’s network. Some of the records also include cell site identification information for calls and texts, which could be used to determine the approximate location where a call was made or a text message was sent.
The hijacked data does not include any call or text content or time stamps, according to AT&T. Information such as Social Security numbers, dates of birth, or other personally identifiable information was also not included in the breach.
AT&T said it learned of the data breach on April 19, and that it is unrelated to an earlier security incident in March.
AT&T told TechCrunch that the most recent compromise of customer records was stolen from the cloud data giant Snowflake during a recent spate of data thefts targeting the cloud data platform’s customers. Several other companies have confirmed they have had data stolen from Snowflake, including Ticketmaster, QuoteWizard, and others.
Wired reports that AT&T did indeed pay a ransom to the hacker in return for them deleting the data. The hacker originally demanded $1M in Bitcoin, although the carrier haggled with the hackers, getting the ransom down to a more reasonable price of the equivalent of $373k.
The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it.
Both Wired itself and crypto-tracing firm TRM Labs independently confirmed transactions matching the hacker’s claim.
While the law requires hacked companies to report such incidents to the Securities & Exchange Commission (SEC) within four days of discovery, CNN reports that the carrier contacted the FBI first, which then requested the carrier to delay public disclosure, exempting it from the SEC rules.
… The FBI said AT&T reached out shortly after learning about the hack, but the agency wanted to review the data for potential national security or public safety risks.
“In assessing the nature of the breach, all parties discussed a potential delay to public reporting… due to potential risks to national security and/or public safety,” the FBI said in a statement.
The FBI has made at least one arrest so far.