Several iHeartRadio stations hacked, customer and employee data stolen

News
By published

Very sensitive PII was taken in iHeartRadio attack

How to prevent cyberattacks
(Image credit: Unsplash)
  • iHeart confirms "several" radio stations were hit with a data breach
  • Crooks took names, health, and payment data, from an undisclosed number of people
  • The company notified the government and law enforcement

Multiple iHeartMedia radio stations suffered a cyberattack in which crooks stole sensitive customer data, the company has confirmed in a data breach notification letter sent to affected individuals, as well as filings with multiple US state attorney generals.

The Record spotted iHeartMedia reporting the breach to Maine, Massachusetts and California, but noted the company left out the field on the total number of affected individuals, so it isn't known how many people had their data stolen.

In the notification letter it’s been sending out, the company said that between December 24 and December 27, 2024, an unauthorized actor “viewed and obtained” files stored on systems “at a small number of our local stations.”

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

Millions of messages

So, several radio stations appear to have been hit, but the company did not say how many.

iHeart is the largest audio-focused media company in the US, with 870 radio stations and a quarter of a billion listeners every month.

No threat actors have yet assumed responsibility for the attack, however, iHeart said that whoever it was, they managed to steal people’s full names, passport numbers and other governmental identification numbers, dates of birth, financial account information, payment card information, health information, and/or health insurance information.

The threat actors struck gold with this database. With names, birth dates, and health and insurance information, they can target people with tailored phishing attacks, and with passport numbers they can engage in identity theft.

Financial account information - particularly payment card information - can be used in wire fraud. The data hasn’t yet emerged for sale on the dark web either.

To tackle the threat, iHeart is giving out a year of identity theft protection services to affected individuals. It also set up a dedicated phone number for people with inquiries.

Via The Record

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.