Frontier says 750,000 Social Security numbers accessed during April cyberattack

Dallas-based telecommunications company Frontier Communications told regulators that more than 750,000 U.S. residents had information stolen during a cyberattack that took place in April.

Frontier — which offers internet and TV service across 25 states — previously reported the cyber incident to the U.S. Securities and Exchange Commission (SEC) in April but filed new documents with regulators in Maine on Thursday specifying how many people were impacted. 

According to the documents, 751,895 people had their names and Social Security numbers accessed by hackers during the attack, which Frontier said was discovered on April 14. 

Victims are being given one year of identity theft protection. The ransomware gang allegedly behind the incident claimed this week to have stolen information on more than 2 million people.

The ransomware operation — RansomHub — was spotlighted by researchers on Wednesday as a likely rebranded version of the older Knight ransomware.

Experts at Symantec said the operators behind the Knight ransomware tried to sell the source code of the malware on the dark web in February before it was used as part of the new ransomware-as-a-service operation.  

The degree of code overlap between the two families is “significant, making it very difficult to differentiate between them,” the researchers said, adding that the operation has quickly become the fourth most prolific ransomware group over the last three months. 

“One factor contributing to RansomHub’s growth may be the group’s success in attracting some large former affiliates of the Noberus (aka ALPHV, Blackcat) ransomware group, which closed earlier this year,” they said. 

The group is now hosting data stolen from UnitedHealth Group and in addition to the incident involving Frontier, RansomHub also claimed the high-profile attack on Christie’s, one of the world’s largest auction houses. On Friday, Christie’s filed its own breach notification documents with regulators in California. 

The speed with which RansomHub has launched its increased number of attacks “suggests that the group may consist of veteran operators with experience and contacts in the cyber underground,” Symantec said.