A hacker who claims to have stolen sensitive call and text logs from AT&T Inc said they were paid about US$400,000 to erase the data trove.

An analysis of a Bitcoin wallet address provided by the hacker shows a transaction in mid-May that analysts say aligns with an extortion payment. A person familiar with the ransomware negotiations, who asked not to be named to discuss confidential matters, confirmed the payment from AT&T to the hacker. Whether AT&T used an intermediary to pay hackers wasn’t immediately clear.

An AT&T spokesperson declined to comment on whether the company paid a ransom to contain fallout from a hack that potentially exposed a huge cache of call and text logs from nearly all its wireless customers during a six-month period in 2022. The FBI and Department of Justice also declined to comment on the alleged payment.

The scope and details of the data, including some location information, presents national security risks, with some experts noting that the size of the alleged ransom payment appeared remarkably low compared to other recent high-profile extortion events. The breach also is one of numerous compromises tied to a security incident at the data analysis software provider Snowflake Inc, and that company continues to deal with reputational fallout from the matter.

The hacker said they were providing the information - and a roughly seven-minute video that they claimed showed them deleting the data - to try to demonstrate that they had fulfilled their agreement with AT&T. The person also said that other hackers were involved in the attack. Bloomberg was unable to verify the authenticity of the video, and the hackers’ claim that other attackers were involved in the incident.

An AT&T spokesperson declined to comment on whether the company had received the video. AT&T said on July 12 that it didn’t believe that the stolen call and text logs had been made public.

At Bloomberg’s request, Chainalysis Inc, examined the record of payment provided by the hacker and compared it to information on the blockchain, a publicly available ledger of cryptocurrency transactions. The company said it appears to be an extortion payment in which someone deposited Bitcoin, worth about US$380,000 at the time, into the digital wallet identified by the hacker.

Chainalysis said a smaller sum was then moved from that wallet into another one belonging to a known hacker, who the firm declined to identify.

Chainalysis said it couldn’t determine if the initial Bitcoin payment was made by AT&T.

The transaction occurred at a time when AT&T was working with federal law enforcement officials to respond to the breach and delay making information about it public amid national security and public safety concerns. With the approval of the Justice Department, the company delayed disclosure twice - on May 9 and again, on June 5, according to a regulatory filing.

The alleged payment is relatively low when compared to ransom demands - and payments - for other recent high-profile data breaches. For instance, Colonial Pipeline Co paid a hacking group US$4.4mil after a ransomware attack in 2021 forced it to shut down its pipeline, snarling gas supplies on the US East Coast, while UnitedHealth Group Inc made a US$22mil payment to a cybercrime group after a February breach of its subsidiary, Change Healthcare.

"For a big company like AT&T, US$380,000 is a drop in the ocean,” said Jon DiMaggio, chief security strategist at Analyst1, who responded to questions from Bloomberg but wasn’t involved in responding to the breach of AT&T data. The relatively small ransom payment could be because there was no financial records accessed by the hacker, he said.

The hacker said they didn’t believe the information they had stolen from AT&T was valuable, or know who might be interested in purchasing it.

A Snowflake representative said the hack of AT&T records was part of a larger campaign the company disclosed last month, where attackers had used stolen login details to access as many as 165 of its customers.

Wired previously reported on the payment.

 - Bloomberg