ADT says its home security systems were not compromised in a recent data breach, but customer information was still exposed.
The company confirmed that hackers accessed customer names, phone numbers, home addresses, and small portions of tax IDs, including partial Social Security numbers. ADT said payment information was not accessed, though breach data reviewed by Have I Been Pwned reportedly affected 5.5 million people.
That leaves customers facing a familiar post-breach problem: even partial personal data can become useful fuel for phishing, impersonation, and identity-related scams.
Two sides of a story
Even with subtle differences between what ADT is saying and what the hacking groups have revealed, both groups agree there was a breach. The differences, however, stem from how both parties frame the incidentâs scope.
ADT has acknowledged the breach and, through its investigation, confirmed that hackers accessed certain customer data.
Customer names, phone numbers, and home addresses were stolen. The hackers also accessed small percentages of customersâ dates of birth, tax IDs, and the last four digits of their social security numbers.
In a statement to BleepingComputer, ADT said that âno payment information â including bank accounts or credit cards â was accessed, and customer security systems were not affected or compromised in any way.â While that sounds like a relief, it depends on what the hackers decide to do with the data theyâve already accessed. And experience with past data breaches of this scale is far from reassuring.
For example, access to partial SSNs might look insignificant, but when combined with other accessed data, itâs enough to carry out personalized phishing campaigns that are hard to detect.
According to information posted on ShinyHuntersâ dark web platform and cited by BleepingComputer, the group has already leaked 11GB (more than 10 million records) of archived data, belonging to ADT.
âThe company failed to reach an agreement with us,â the hacking group wrote on its website.
We donât know if this is all, given ADTâs claims of the hack being limited. However, an analysis of the leaked data by Have I Been Pwned shows it belonged to 5.5 million people.
If the 5.5 million figure is accurate, the breach would represent a significant share of ADTâs customer base.
How did a hack this significant happen
The reported access point was not ADTâs home security systems, but an employee account tied to cloud business tools.
BleepingComputer says the group informed it that the breach happened by compromising the single sign-on (SSO) of an employeeâs Okta account using voice phishing (vishing). While it didnât disclose the details of how it happened, it appears to be another example of social engineering targeting employee accounts that can expose data stored on major cloud platforms.
With access to the employeeâs account, the group exfiltrated data from the companyâs Salesforce instance.
The group isnât new to this technique. To steal data, it uses vishing to compromise Microsoft Entra, Okta, and Google SSO accounts belonging to employees and Business Process Outsourcing (BPO) agents at several companies.
It also has a taste for some of the worldâs largest and most established companies. Aside from ADT, which is the USâ oldest home security company, its most recent hack was a breach of Medtronic. Medtronic is the largest maker of medical devices in the world, with a presence in 150 countries.
What ADT is doing now and what customers should watch out for
Following the detection of the breach, the company terminated access and launched an investigation. While it didnât reveal the number of affected customers or the amount of stolen data beyond what Have I Been Pwned disclosed, it has reached out to all affected customers, according to Security Magazine.
In cases like this, affected customers are offered credit monitoring services and urged to watch out for phishing attempts.
Also read: The Amtrak data breach exposed more than 2.1 million customer records after a CRM access incident, highlighting risks around customer data platforms.
Read the full article here
