AT&T Paid $370,000 For the Deletion of Stolen Phone Call Records

AT&T paid more than $300,000 to a member of the team that stole call records for tens of millions of customers, reports Wired — "to delete the data and provide a video demonstrating proof of deletion." The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. WIRED confirmed, through an online blockchain tracking tool, that a payment transaction occurred on May 17 in the amount of 5.7 bitcoin... The hacker initially demanded $1 million from AT&T but ultimately agreed to a third of that. WIRED viewed the video that the hacker says he provided to AT&T as proof to the telecom that he had deleted its stolen data from his computer...

AT&T is one of more than 150 companies that are believed to have had data stolen from poorly secured Snowflake accounts during a hacking spree that unfolded throughout April and May. It's been previously reported that the accounts were not secured with multi-factor authentication, so after the hackers obtained usernames and passwords for the accounts, and in some cases authorization tokens, they were able to access the storage accounts of companies and siphon their data. Ticketmaster, the banking firm Santander, LendingTree, and Advance Auto Parts were all among the victims publicly identified to date...

The timeline suggests that if [John] Binns is responsible for the AT&T breach, he allegedly did it when he was likely already aware that he was under indictment for the T-Mobile hack and could face arrest for it.

It should be illegal to pay

[DigitalSorceress]

When asked why he robbed banks, Willy Sutton replied "that's where the money is"

Ransomware is going to continue to be a problem so long as the perpetrators make money - whether people pay to recover their data or to try and avoid embarrassment or even to keep the info from being sold on the "dark web" doesn't matter - they do it because they can make money from it.

I can't help but think that companies who pay such ransoms are just fueling the profitability, making it worth doing.

Re:It should be illegal to pay

[geekmux]

I can't help but think that companies who pay such ransoms are just fueling the profitability, making it worth doing.

As a taxpayer, I cannot help but think that any company that pays a ransom should not receive one fucking dime of Federal funding for any reason, and should immediately be ineligible for any Too Big To Fail bullshit excuse to save them from their own corrupt financial fuckery.

Re: It should be illegal to pay

[Fortnite_Beast]

This is what get work capitalism though. Nationalize the telcos and let the military take care of these threats.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: It should be illegal to pay

[joller]

For many organisations not paying could equate going out of business, so the pay, to stay in business. This is now the main reason to have cyber insurance, which is then often required by customers. The âwe donâ(TM)t negotiate with terroristsâ(TM) stuff doesnâ(TM)t really work. Almost everyone negotiates, and those who donâ(TM)t, are able to accept the losses.

Re:It should be illegal to pay

[gweihir]

I can't help but think that companies who pay such ransoms are just fueling the profitability, making it worth doing.

That is exceptionally obvious. Without all the unprepared assholes that paid, there would not be a ransomware crisis today. The other factor is crapcoins, that made large-scale and easy money-laundering possible.

Re:

[Slayer]

While crypto coins make unhindered movement of assets quite easy, it's not the main determining factor here. Remember, how Nigerian scammers had money sent to them through Western Union and similar services. Main reason they switched to crypto for this is because it's cheaper and easier than Western Union. Remember: AT&T wanted to the perps to get this money. They were extorted, not defrauded. WU would not have interfered with that transaction.

The real culprit here is legal immunity of the perps. Their

Re:

[gavron]

As a taxpayer I don't think any corrupt congressman, ex-president, or supreme court butlicker should get any taxpayer funds either.
Corruption, lack of accountability, and all with our taxpayer dollars is why our country's leadership is crap, and when they won't police themselves, they won't police the police OR the corporations lining their pockets with moare.

Re:

[DarkOx]

By that same token as a customer - I'd rather they pay the ransom. My view is they have an obligation to protect me, their client, in anyway they can after a breach. That absolutely includes pay the attackers to 'hopefully' delete the stolen data or at least not publish it.

I agree that it does - make crime pay - to some extent and that perhaps raises the risk in some unknowable way to unrelated parties. However someone decided to try digital - hostage taking ransom schemes, in the first place when there wa

how?

[groobly]

How can a video provide proof of deletion? AT&T never heard of backups?

Re:

[elbiatcho1]

Its $370K for an attempted PR save.

Re: how?

[joller]

I was also initially surprised, but turns out itâ(TM)s a common practice in the industry. Shows you have âtaken reasonable stepsâ(TM) in court.

Re:

[gweihir]

Seriously? _That_ shows "reasonable steps" when it does not get any more unreasonable?

Re:

[IDemand2HaveSumBooze]

I'm assuming this is based on a legal judgement in some class-action lawsuit where a judge ruled these to be 'reasonable steps'. That would be stupidity and/or corruption of the legal system. But maybe there's been no such precedent and the corpos have been advised by the legal department that this should help get them off the hook in a possible class action lawsuit. Not sure, neither judges nor upper management are known for their IT literacy. Although this isn't so much IT literacy as it is just common se

Re:

[kmoser]

Yeah, but in the process of taking "reasonable steps" you also extorted $300,000, so why bother? If you're in court, they'll get you for theft and extortion; failure to delete the data is the least of your worries.

Re:

[eggegick]

My first thought, how can you possibly prove it.

Re:

[gweihir]

Or copies? Well. Maybe, just maybe they paid that sum for the appearance of "doing something". But terminal stupidity in corporate leadership is not unheard of.

Re:

[markdavis]

>"How can a video provide proof of deletion? AT&T never heard of backups?"

I was going to post the same thing. How ridiculous. There is *no way* to prove or validate that data has been deleted everywhere. Showing it "deleted" in one place is completely meaningless. It might validate that person is accepting a contract and performing some "consideration" for payment. But that is a legal thing and, again, meaningless when you are dealing with someone who is essentially an anonymous criminal.

Really,

Re:

[unrtst]

IANAL/etc, but maybe this is for the other end of the books? IE: by having them provide a video of a specific act, it can be considered a work for hire payment, rather than ransom. They paid for the video, so it's a valid purchase/sale and can be reported as such to the various authorities (tax/sec/etc..).

I deleted your post!

[gavron]

I deleted your post and now nobody will see it.

All hail the might Alt-F4. (Or ^Q).

What? You mean everyone else can still see it? Well give me my deletion-fee back! -- AT&T Execubot

Re:

[quantaman]

How can a video provide proof of deletion? AT&T never heard of backups?

AT&T paid $370k for them not to release the data or sell it to a 3rd party in the short to medium term.

The idea that all copies of the data got deleted as well is just a convenient fiction that both sides agreed on.

Re:

[unrtst]

AT&T paid $370k for them not to release the data or sell it to a 3rd party in the short to medium term.

IMO, that's the marketing version. The real version is, "AT&T paid $370k for a short video clip."

Paying for a promise of behavior is probably chock full of issues beyond the blatantly obvious - the inability to actually prove all copies have been deleted. Paying for a video clip is a straight forward purchase one can file and deduct.

Re:

[quantaman]

AT&T paid $370k for them not to release the data or sell it to a 3rd party in the short to medium term.

IMO, that's the marketing version. The real version is, "AT&T paid $370k for a short video clip."

Paying for a promise of behavior is probably chock full of issues beyond the blatantly obvious - the inability to actually prove all copies have been deleted. Paying for a video clip is a straight forward purchase one can file and deduct.

Did you actually read my 2 line comment?

The marketing version is they deleted the content.

The actual version is they paid for them not to release the content, hopefully forever, but at least a few years.

And the actual version is fairly reasonable. The biggest value of the information comes from the threat to release it, no one else will pay much, so after that "promise to delete" ransom payment there's not much value in it.

And if you do try to go after them again, or you start auctioning off the data, then

Re:

[unrtst]

Did you actually read my 2 line comment?

Yes, of course. And though I agree that the marketing version is they deleted it, I think there is a different and fairly obvious motivation for the video clip.

IMO, the purpose of the video clip has little to nothing to do with proof of deletion - we all know that proves no such thing. However, the video clip could provide something very useful to AT&T - a product to associate with the purchase price. They can't just dump hundreds of thousands of dollars into anonymous accounts for nothing but the hope

Re:

[buck-yar]

"Gullible is written on the ceiling," someone says

*everyone looks up*

Re:

[newslash.formatblows]

Dude, the blackmailers *promised* they'd delete it and not keep any copies. Don't you trust them?

Snowflake did not misrepresent themselves

[Anonymous Coward]

Calling the company "Snowflake" was a leading indicator of their attitude toward sustainability, security, etc.

Danegeld

[davidwr]

"We never pay any-one Dane-geld,
      No matter how trifling the cost;
For the end of that game is oppression and shame,
      And the nation that plays it is lost!"

Rudyard Kipling, 1911

link to more about the poem and the term [kiplingsociety.co.uk]

Proof of deletion?

[gweihir]

What is that supposed to be? Have we reached peak stupid?

Re:

[ToddDTaft]

What is that supposed to be? Have we reached peak stupid?

Peak implies that we're at the upper limit.

"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

Albert Einstein

Re:

[feufeu]

Shhhh ! You have just invoked Betteridge's law.

Wake up folks

[Otis B. Dilroy III]

These are not my phone records or yours.

They are phone records which could expose serious skulduggery by ATT, other tech companies, corporate heads, politicians, etc.

Cheap

[rickb928]

This settlement is missing at least one zero. Piker. Should have threatened to steal his pajamas.

The cheapest cost

[gavron]

Cost of protecting your data: A lot.
Cost of offering useless "LifeLock" once you get caught not protecting the data: Some.

Cost of paying a hacker to pretend to delete your data and send you a "video" of it: Virtuall nothing.

AT&T Executives: WooHoo!!! This is the most cost effective solution for our shareholders.

Fuck you large companies that don't bother securing user data and then pay for NO SECURITY.

This is one case where LARGE FINES would make a difference, because they would encourage others to

So basically 6 BTC

[skaag]

I'd wager $10 they paid someone 6 BTC for that video proof showing the data being deleted.