American home security company ADT has confirmed a data breach after a threat actor listed the stolen database for sale on a hacking forum.
Employing over 13,000 people in over 150 locations in the United States, ADT provides residential and small business security solutions, such as fire protection, electronic security, and alarm monitoring. The Florida-based company has a customer base of over 6 million and earned $4.98 billion in revenue in 2023.
According to its regulatory filing with the U.S. Securities and Exchange Commission (SEC), ADT says the cybersecurity incident impacted a “small percentage” of its subscribers and leaked “limited” personal information.
ADT confirms a home security data breach
ADT said it terminated the unauthorized access, launched an investigation, and hired external security experts after an unauthorized party gained access to customer data.
“ADT Inc. recently experienced a cybersecurity incident during which unauthorized actors illegally accessed certain databases containing ADT customer order information,” the company said. “After becoming aware of the incident, the Company promptly took steps to shut down the unauthorized access and launched an investigation, partnering with leading third-party cybersecurity industry experts.”
“The attackers nonetheless obtained some limited customer information, including email addresses, phone numbers, and postal addresses,” stated ADT.
However, the data breach did not compromise credit card data or banking information. The SEC filing also claims that the home security data breach impacted “a small percentage of the Company’s overall subscriber base.”
The company also says no evidence suggests the cybersecurity incident compromised customers’ home security systems. According to the SEC filing, ADT has also notified impacted customers and continues to investigate the data breach incident.
Meanwhile, the home security company provided limited information, including the victim count and the implicated threat actor. Similarly, how the threat actor gained access remains undisclosed.
“This incident reported to the SEC by ADT has the potential to have a large customer impact for current customers,” said Jim Routh, Chief Trust Officer at Saviynt. “It is not clear from the information reported what the root cause for the data breach was. A common threat actor tactic is to release small amounts of customer information in a public forum to increase leverage toward an extortion payment by the enterprise.”
However, ADT says it has taken additional steps to protect customer information, “including immediately activating rigorous cybersecurity protocols.” The home security company also advised victims to monitor their accounts and be on the lookout for attempted phishing.
“While the investigation remains ongoing, as of the date of this filing, the company believes this cybersecurity incident has not materially impacted its operations,” ADT said in the SEC filing.
Hacker lists stolen ADT database
A threat actor identified as “netnsher” on the underground hacking forum Breach Forums has listed the allegedly stolen ADT’s database containing 30,812 customer records, including 30,400 unique email addresses.
They allege that the stolen database includes customer email, full address, user ID, products bought, and other details. Exposing customer sales and contact information exposes them to significant cyber threats, such as targeted phishing, which could result in more serious breaches.
This cybersecurity incident is hardly the first time ADT has been involved in a data breach. In 2021, a former ADT security technician admitted he accessed customers’ home security cameras over 9,600 times to spy on them, especially women. Telesforo Aviles said he added his personal email address to “ADT Pulse” customer accounts to gain real-time access.
Cybercriminals have also abused other home security providers for nefarious purposes. In 2022, prosecutors charged two men with abusing breached Amazon’s Ring home security cameras to swat victims and stream police raids on social media.