AT&T reportedly paid a hacker $370,000 to delete customer data stolen during a recent breach, according to Wired. This payment highlights the growing cybersecurity threats, as Ticketmaster’s Snowflake breach was one of 165 major incidents reported this year.
AT&T Pays $370K Ransom to Hacker; Ticketmaster's Snowflake Data Breach Among 160+ Compromises
During a hacking spree earlier this year, AT&T spent approximately $370,000 on a hacker to erase customer data that was seized from the company. As per a report published by Wired today, the perpetrator submitted a video to support their assertion that the data had been deleted.
According to reports (via The Verge), AT&T engaged in negotiations with an intermediary named Reddington, who was acting on behalf of a member of the ShinyHunters hacking group. At first, the intruder requested $1 million; however, as reported by Wired, AT&T ultimately agreed to pay the sum in bitcoin on May 17.
The outlet reports that Reddington, whom AT&T compensated for his involvement in the negotiations, stated that the sole complete copy of the data was erased after AT&T paid the ransom. However, he also suggested that excerpts may be still in circulation. Additionally, it is purported that Reddington negotiated with numerous other organizations regarding the hackers.
It was previously reported that Ticketmaster and Santander Bank were also compromised due to the stolen login credentials of a third-party cloud storage company, a Snowflake employee before AT&T confirmed the breach. According to Wired, hackers employed a script to potentially infiltrate over 160 organizationsconcurrently following the Ticketmaster attack.
Major Data Breach Affects Hundreds of Snowflake Customers, Including Ticketmaster and Santander Bank
Security researchers have reported that a "substantial amount of data" has been taken from hundreds of Snowflake cloud storage customers through compromised login credentials. This incident is associated with significant data breaches at Ticketmaster and Santander Bank.
Mandiant, a security firm actively investigating the data theft with Snowflake, disclosed on July 8 that it had traced the activity to a 'financially motivated threat actor' it designated as UNC5537. Mandiant has stated that its investigation has not located 'any evidence to suggest' that Snowflake's enterprise environment was breached, even though the two companies have notified at least 165 Snowflake customer organizations that may have been compromised since the ongoing threat activity was discovered in April.
Recent data exposures at Ticketmaster, Santander Bank, and LendingTree subsidiary QuoteWizard have been associated with the Snowflake cloud storage accounts that the companies utilize. Until now, there have been few official details regarding how the accounts were compromised. An earlier third-party report was removed from the internet after Snowflake denied that the platform was responsible.
Mandiant states that the UNC5537 group, which has not yet been identified, is "systematically compromising" Snowflake customers by utilizing login credentials stolen through historical infostealer malware infections on non-Snowflake-owned systems. This information was obtained as a result of Mandiant's investigation. UNC5537 was able to steal data from Snowflake customer instances to sell it on cybercriminal forums and extort the victims. Some of these credentials date back as far as 2020.
According to Mandiant, the UNC5537 campaign has led to 'numerous successful compromises' as a consequence of the poor security practices of the impacted accounts. These accounts failed to update stolen login credentials, utilize multi-factor authentication (MFA), or utilize network allow lists. Mandiant anticipates that UNC5337 will target additional platforms shortly, and the list of victims, which is currently largely unidentified, will expand. This warning is issued to help potential targets prepare and strengthen their security measures.