Multiple iHeartRadio stations breached in December

Several radio stations owned by iHeartMedia were breached in December, exposing Social Security numbers, financial information and other personal details.

The media conglomerate filed breach notices in several states but declined to say how many people were impacted or how many stations were attacked when reached for comment.

“iHeartMedia + Entertainment, Inc. discovered and addressed an incident involving unusual activity on some systems at a small number of our local stations,” a spokesperson told Recorded Future News. “Upon detecting the activity, we took immediate steps to block it; triggered our incident response protocols; and launched an investigation with the assistance of a third-party cybersecurity firm. We also notified law enforcement.”

The breach letters sent to victims explain that hackers accessed the company’s systems between December 24 and December 27, viewing and obtaining files “on systems at a small number of local” iHeart stations.

The company conducted an investigation that ended on April 11, finding that the hacker’s accessed Social Security numbers, tax ID numbers, driver’s licenses, passport numbers, financial account numbers, health insurance information and payment card numbers. 

Victims are being given one year of identity protection services and a phone number was created to answer any questions those affected may have. 

The company reported the data breach to Maine, Massachusetts and California. It left blank the section of Maine’s form that asks how many total victims there are. No hackers ever took credit for the attack.

iHeart is the largest audio-focused company in the U.S., owning more than 870 stations and reaching a quarter of a billion listeners monthly. It reported a revenue of $3.8 billion last year.

Last week another large media conglomerate, Urban One, reported a data breach impacting the information of an unknown number of employees after a ransomware gang launched a cyberattack in February.