AT&T Inc. is alleged to have paid about $370,000 to delete customer data relating to nearly all of its customers following its theft by the hacking group ShinyHunters.

According to Wired today, AT&T is said to have negotiated with an intermediary of ShinyHunters called Reddington to stop the data from being released. The hackers reportedly asked for $1 million originally before AT&T negotiated them down on the amount, which is alleged to have been paid in bitcoin on May 17.

Wired also claims to have confirmed that payment of 5.8 bitcoin, the equivalent of $373,646 at the time, was made to a bitcoin wallet ShinyHunters allegedly controls. While a transaction matching the claim exists, the report also references Chris Janczewski, head of global investigations for crypto-tracing firm TRM Labs, as noting that though a transaction meeting the claim took place, there was no indication as to who controlled the wallets.

AT&T has not yet responded to the report.

It’s not entirely illegal for a U.S. company to pay a ransom payment, though the U.S. government strongly discourages it. There are some laws, however, that AT&T could have breached if it did indeed make a payment to ShinyHunters.

In 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control and its Financial Crimes Enforcement Network warned that any company that paid a ransomware payment or a third party that facilitated a payment could be prosecuted in the case that the hackers demanding the ransom were subject to U.S. sanctions. The only exception where a company could make a ransom payment in such circumstances is with the permission of the U.S. government.

A proposed law, the Ransomware and Financial Stability Act 2024, would also prohibit major companies from making ransom payments exceeding $100,000 without explicit authorization from a federal law enforcement agency. The legislation aims to reduce the incentive for ransomware attacks by limiting large-scale ransom payments and ensuring regulatory oversight of such transactions.

The hacking group behind it all, ShinyHunters,  first emerged in early 2020 and quickly gained infamy for its aggressive tactics and high-profile data breaches. The group typically hacks company databases, stealing large volumes of data before offering to sell the information on sites such as BreachForums if a ransom payment is not made.

More recently, ShinyHunters was behind a breach of a third-party provider that resulted in the compromise of multiple high-profile companies that are customers of Snowflake Inc. Victims included TicketMaster Enterprise LLC in May and U.S. auto parts provider Advance Auto Parts Inc. on June 6.

Photo: Mike Mozart/Wikimedia Commons