ADT said Friday it confirmed a cyber intrusion after an extortion attempt by the ShinyHunters crew and moved quickly to contain it. The company said it detected unauthorized access on April 20, shut it down that day, brought in outside incident responders and looped law enforcement into the response.
ADT said the intruder made off with a limited set of data that included names, phone numbers and addresses. A smaller slice also included dates of birth and the last four digits of Social Security or tax ID numbers. The company said no payment data was accessed and customer security systems were not touched.
The breach lands at a sensitive moment for ADT, one of the world’s largest providers of monitored home alarm systems, which sells burglar alarms, cameras and smart home kits. ShinyHunters said it was airing the data after talks with ADT went nowhere, and the group claimed it had lifted more than 10 million Salesforce records containing personal and internal corporate data. It has made similar claims about Carnival Corporation in recent weeks.
There is still a wide gap between the two accounts. ADT described a limited set of data tied to certain cloud-based environments, while The Register said the company has not yet answered basic questions about how it was compromised, how many people were affected, whether customers outside the US are involved or whether breach notices have been filed with state attorneys general. Have I Been Pwned listed 5.5 million unique email addresses tied to the incident, adding another sign that the scope may be larger than ADT’s first description suggests.
For customers, the immediate concern is not whether alarm systems were disabled — ADT says they were not — but how far the stolen data may travel now that it has been put up for sale and publicity. The next public answer will matter less for the hackers than for the people whose names, addresses and partial identification numbers may already be in circulation.