Frontier Communications: 750k people's data stolen in April attack on systems

Frontier Communications has confirmed more than 750,000 individuals were affected in an April cyberattack on its systems, according to a regulatory filing.

Lawyers representing the major US telco told the Office of the Maine Attorney General that data belonging to 751,895 people was stolen. The data types impacted, according to the filing, are limited to names and social security numbers. No financial data is believed to be compromised.

"We take this incident and the security of information in our care seriously. Upon discovering the incident, Frontier retained leading cybersecurity experts to support the investigation and contain the incident," the company said in a letter to affected individuals. 

"We also took steps to further strengthen our network security and prevent further access by the third party. We have notified law enforcement and applicable regulatory authorities."

The filing marks the first time the company officially confirmed the scale of the breach, which was first detected on April 14 of this year per the company's filing with the SEC. 

Frontier said once the attack was detected, its incident response plans were engaged and containment measures began, which involved shutting down certain systems. At no point did the company mention the involvement of ransomware, contrary to other claims made this week.

Cybercriminals at RansomHub thisa week took responsibility for the attack, making the inflated claims that the gang actually stole data belonging to more than 2 million people – yet more evidence that the claims of crims shouldn't ever be fully trusted.

It also alleged home addresses, dates of birth, credit scores, and phone numbers are included in the data theft. It tried to back this up with a screenshot depicting what it says is the data trove, appearing to contain the additional data types not disclosed to the Maine AG.

"Now anyone who wants to buy this data can contact our blog support, we only sell it once," said RansomHub.

The criminals allegedly took a similar approach to selling stolen data following its attack on auctioning giant Christie's, although experts speaking to El Reg, and many others, believe the gang merely claimed the data was auctioned off as a way to hide the fact it couldn't monetize the files after Christie's refused to pay a ransom.

Since first spinning up in February, RansomHub has propelled itself up the ransomware rankings – according to Symantec, it's now the fourth most prolific gang behind LockBit, Play, and Qilin.

• Christie's stolen data sold to highest bidder rather than leaked, RansomHub claims
• Change Healthcare faces second ransomware dilemma weeks after ALPHV attack
• What is RansomHub? Looks like a Knight ransomware reboot
• LockBit redraws negotiation tactics after affiliates fail to squeeze victims

It also made a name for itself by attempting to extort Change Healthcare after the healthcare org already paid a ransom to its original attackers, ALPHV. The incident sparked rumors of the group being an ALPHV rebrand after leadership took the affiliate's fee and ran.

However, more recent thinking suggests that RansomHub is actually a reboot of the Knight ransomware gang, but is being assisted by former ALPHV affiliate Notchy – a criminal who along with the fall of their former employer may be helping to attract new affiliates to RansomHub. ®