ADT Confirms Major Data Breach Exposing Millions of Names, Partial SSNs
ADT says its home security systems were not compromised in a recent data breach, but customer information was still exposed.
The company confirmed that hackers accessed customer names, phone numbers, home addresses, and small portions of tax IDs, including partial Social Security numbers. ADT said payment information was not accessed, though breach data reviewed by Have I Been Pwned reportedly affected 5.5 million people.
That leaves customers facing a familiar post-breach problem: even partial personal data can become useful fuel for phishing, impersonation, and identity-related scams.
Two sides of a story
Even with subtle differences between what ADT is saying and what the hacking groups have revealed, both groups agree there was a breach. The differences, however, stem from how both parties frame the incident’s scope.
ADT has acknowledged the breach and, through its investigation, confirmed that hackers accessed certain customer data.
Customer names, phone numbers, and home addresses were stolen. The hackers also accessed small percentages of customers’ dates of birth, tax IDs, and the last four digits of their social security numbers.
In a statement to BleepingComputer, ADT said that “no payment information — including bank accounts or credit cards — was accessed, and customer security systems were not affected or compromised in any way.” While that sounds like a relief, it depends on what the hackers decide to do with the data they’ve already accessed. And experience with past data breaches of this scale is far from reassuring.
For example, access to partial SSNs might look insignificant, but when combined with other accessed data, it’s enough to carry out personalized phishing campaigns that are hard to detect.
According to information posted on ShinyHunters’ dark web platform and cited by BleepingComputer, the group has already leaked 11GB (more than 10 million records) of archived data, belonging to ADT.
“The company failed to reach an agreement with us,” the hacking group wrote on its website.
We don’t know if this is all, given ADT’s claims of the hack being limited. However, an analysis of the leaked data by Have I Been Pwned shows it belonged to 5.5 million people.
If the 5.5 million figure is accurate, the breach would represent a significant share of ADT’s customer base.
How did a hack this significant happen
The reported access point was not ADT’s home security systems, but an employee account tied to cloud business tools.
BleepingComputer says the group informed it that the breach happened by compromising the single sign-on (SSO) of an employee’s Okta account using voice phishing (vishing). While it didn’t disclose the details of how it happened, it appears to be another example of social engineering targeting employee accounts that can expose data stored on major cloud platforms.
With access to the employee’s account, the group exfiltrated data from the company’s Salesforce instance.
The group isn’t new to this technique. To steal data, it uses vishing to compromise Microsoft Entra, Okta, and Google SSO accounts belonging to employees and Business Process Outsourcing (BPO) agents at several companies.
It also has a taste for some of the world’s largest and most established companies. Aside from ADT, which is the US’ oldest home security company, its most recent hack was a breach of Medtronic. Medtronic is the largest maker of medical devices in the world, with a presence in 150 countries.
What ADT is doing now and what customers should watch out for
Following the detection of the breach, the company terminated access and launched an investigation. While it didn’t reveal the number of affected customers or the amount of stolen data beyond what Have I Been Pwned disclosed, it has reached out to all affected customers, according to Security Magazine.
In cases like this, affected customers are offered credit monitoring services and urged to watch out for phishing attempts.
Also read: The Amtrak data breach exposed more than 2.1 million customer records after a CRM access incident, highlighting risks around customer data platforms.
About Author
