It is always a bit awkward when threat actors reveal a breach before the victim releases their version of events. In this case, home safety giant ADT notified the SEC about a breach after data from it was already being leaked on a hacking forum.
On July 31, a forum user with a high positive reputation announced:
The infamous security company ADT with $5B Revenue suffered a databreach exposing over 30,812 records including 30,400 unique emails, the records contain:
CustomerEmail, Full address, User ID, Products Bought, Etc…
A sample of the data was provided and forum users can download all of the data if they have forum tokens to “pay” for it.
ADT subsequently submitted a notification via 8K form to the Securities and Exchange Commission:
On Item 8.01 Other Information.
ADT Inc. (“ADT” or the “Company”) recently experienced a cybersecurity incident during which unauthorized actors illegally accessed certain databases containing ADT customer order information. After becoming aware of the incident, the Company promptly took steps to shut down the unauthorized access and launched an investigation, partnering with leading third-party cybersecurity industry experts. The attackers nonetheless obtained some limited customer information, including email addresses, phone numbers and postal addresses.
Based on its investigation to date, the Company has no reason to believe that customers’ home security systems were compromised during this incident. Additionally, the Company has no reason to believe the attackers obtained other personally sensitive information such as credit card data or banking information. The Company is continuing its investigation into this cybersecurity incident and has notified the customers it believes to have been affected, who comprise a small percentage of the Company’s overall subscriber base. While the investigation remains ongoing, as of the date of this filing, the Company believes this cybersecurity incident has not materially impacted its operations and does not expect that this incident is reasonably likely to have a material impact on the Company’s overall financial condition, results of operations, or ability to meet its 2024 financial guidance.
Although the data acquired do not seem particularly sensitive, they might potentially be used to phish or trick ADT customers into giving up their security codes and information that would allow fraud or physical access to their homes. ADT will need to really educate and warn affected customers about the risk that they may be contacted and what they should do if they receive any phone calls or emails requesting any information.