AT&T has been tight-lipped about whether it paid a ransom to hackers who claimed to have stolen a massive trove of call and text message logs from millions of customers in 2022.
However, a new report said that the telecom company gave nearly $400,000 to the hackers to erase a collection of data.
Hacker Claims Extortion Payment Received
A hacker claiming responsibility for the breach alleges they received a payment of around $400,000 in Bitcoin to erase the stolen data, WIRED reports.
An analysis by Chainalysis Inc., a blockchain security firm, revealed a transaction in a Bitcoin wallet address provided by the hacker that aligns with the described extortion payment timeframe. Additionally, a source familiar with the negotiations anonymously confirmed that AT&T did indeed pay the ransom. Whether this payment involved an intermediary remains unclear.
AT&T, the FBI, and the Department of Justice have all declined to comment on these allegations.
National Security Concerns and Scope of the Breach
The compromised data reportedly included call and text logs, with some location information, potentially raising national security concerns.
Experts also expressed surprise at the relatively low ransom amount compared to other recent high-profile data breaches.
The breach is believed to be connected to a larger security incident at data analysis software provider Snowflake Inc. Snowflake is still dealing with reputational damage from the attack, which affected up to 165 of its customers.
Hacker Offers 'Proof' of Data Deletion
In an attempt to demonstrate fulfillment of their agreement with AT&T, the hacker provided a video supposedly showing them erasing the stolen data. Additionally, they claimed the involvement of other hackers in the attack.
Bloomberg was unable to independently verify the video's authenticity or the participation of other attackers.
AT&T would not confirm receiving the video. The company previously stated on Friday that they have no reason to believe the data was publicly exposed.
Extortion Payment Confirmed, But Source Unclear
Chainalysis, upon request from Bloomberg, analyzed the hacker's provided transaction record and compared it to public blockchain data. Their findings suggest an extortion payment where Bitcoin, valued at roughly $380,000 at the time, was deposited into the digital wallet identified by the hacker.
Chainalysis further noted a subsequent transfer of a smaller sum to another wallet belonging to a known hacker, whose identity was not disclosed. However, they could not confirm whether AT&T was the source of the initial payment.
Payment Timing Raises Questions
The alleged payment coincides with AT&T's reported collaboration with federal law enforcement to address the breach. With Justice Department approval, the company delayed public disclosure of the incident twice - on May 9 and again on June 5 - citing national security and public safety concerns.
Relatively Low Ransom Compared to Other Breaches
The reported ransom amount is significantly lower compared to payouts in other recent high-profile data breaches. Colonial Pipeline Co. paid $4.4 million after a 2021 ransomware attack, while UnitedHealth Group Inc. made a $22 million payment following a February breach of its subsidiary, Change Healthcare.
The hacker claims they didn't believe the stolen information held significant value and didn't know of any potential buyers.
"For a big company like AT&T, $380,000 is a drop in the ocean. The relatively small ransom payment could be because there were no financial records accessed by the hacker," chief security strategist at Analyst1 Jon DiMaggio said.
Snowflake Confirms Connection to Larger Attack
Snowflake confirmed that the AT&T breach was part of a broader attack they disclosed last month. The attack involved hackers leveraging stolen login credentials to access data from up to 165 of their customers.
Back in March, another data leak hit AT&T. However, the company denied it even though it affected 70 million users at that time.