Charter Communications breach exposes data of 4.9 million accounts

At a glance:

• ShinyHunters hackers breached Charter Communications in early April, exposing personal data of 4.9 million accounts.
• Attackers used a voice phishing (vishing) attack to compromise an employee's Microsoft Entra account, then stole 42 million records from Salesforce.
• Charter claims no sensitive personal information or CPNI was taken, but leaked data includes names, emails, addresses, and phone numbers.

What happened

Charter Communications, one of the largest telecommunications providers in the United States, confirmed a significant data breach earlier this week. The breach, which occurred in early April, was carried out by the ShinyHunters extortion gang, who claimed responsibility for the attack. The company, which operates under the Spectrum brand, provides services to over 32 million customers and more than 57 million homes across 41 states. With approximately 92,000 employees, Charter is a major player in the U.S. telecom market, making this breach particularly concerning for millions of Americans.

According to data breach notification service Have I Been Pwned, the incident exposed personal information linked to 4.9 million unique accounts. While Charter initially stated that no sensitive personal information (PI) or customer proprietary network information (CPNI) was exfiltrated, the leaked data includes names, email addresses, physical addresses, and phone numbers. This discrepancy highlights the ongoing challenges companies face in accurately assessing the scope of breaches and communicating with affected customers.

What data was stolen

The ShinyHunters group claimed to have stolen approximately 42 million records from Charter's Salesforce instance. This data includes consumer and business customer names, email addresses, physical addresses, phone numbers, phone types, plan information, support ticket data, and some CPNI. Additionally, a subset of about 85,000 records from an internal employee directory also contained job titles, which could pose further risks for targeted attacks or social engineering.

Have I Been Powned analyzed the leaked data and confirmed the exposure of 4.9 million unique email addresses along with the associated personal details. The inclusion of job titles in a portion of the data adds a layer of concern, as it could enable more sophisticated phishing campaigns. Despite Charter's assertions, the extent of CPNI data stolen remains unclear, as the company has not provided further details beyond its initial statement.

How the breach occurred

The breach was initiated through a voice phishing (vishing) attack on April 1, which compromised an employee's Microsoft Entra account. ShinyHunters leveraged this access to infiltrate Charter's systems and exfiltrate data from the company's Salesforce instance. Vishing attacks, which involve tricking individuals into revealing sensitive information over the phone, have become increasingly common as attackers exploit human vulnerabilities to bypass technical security measures.

This method of entry allowed the threat actors to move laterally within Charter's environment and access sensitive customer data. The use of a compromised employee account underscores the importance of robust identity and access management (IAM) practices, as well as continuous employee training to recognize and report phishing attempts. The incident also highlights the ongoing threat posed by attacks targeting cloud-based platforms like Salesforce, which store vast amounts of customer information.

Charter's response

In the aftermath of the breach, Charter Communications has taken steps to address the incident, including alerting authorities and working to secure its systems. The company has maintained that no sensitive personal information or CPNI was stolen, though it has not provided detailed evidence to support this claim. Charter has also not shared specifics about the technical measures taken to prevent further breaches or to protect customer data going forward.

The company's response has been limited to a public statement and referrals to that statement when pressed for additional information. This lack of transparency has raised questions among cybersecurity experts and affected customers about the true extent of the breach. Charter's reluctance to disclose more details may stem from legal or reputational concerns, but it also leaves stakeholders without a clear understanding of the risks they face.

Broader context and industry impact

The breach at Charter Communications is part of a larger trend of attacks targeting the telecommunications industry. In recent months, a Chinese state-backed threat group known as Salt Typhoon has compromised multiple telecom providers, including AT&T, Verizon, Consolidated Communications, Windstream, and Lumen, as well as companies in other countries. These attacks often aim to steal sensitive data or disrupt services, posing significant national security and privacy concerns.

The FBI has advised victims of ShinyHunters not to pay the ransom demanded by the extortion group, noting that doing so does not guarantee the data will not be leaked or sold to other criminals. This guidance reflects a broader shift in cybersecurity strategy, emphasizing resilience and recovery over ransom payments. As telecom companies continue to be prime targets, the industry must invest in advanced security measures, collaborate with law enforcement, and enhance threat intelligence to mitigate future breaches.