BT Group has confirmed it was hit by a ransomware attack orchestrated by Black Basta, a group known for its ransomware and ransomware-as-a-service (RaaS) operations, leading the company to shut down parts of its infrastructure.
In its statement, BT Group said that the attack specifically targeted BT Conferencing, a subsidiary based in Braintree, Massachusetts. However, Black Basta has disputed this, claiming to have exfiltrated 500GB of data from BT’s servers.
Here’s everything we know so far.
BT breach: Timeline of events
The breach at BT Group was first revealed when the Black Basta ransomware group posted a series of files labeled “BT Group” on its dark web site. The hacking group claimed to have infiltrated the company’s servers and stolen 500GB of data, including personal information, NDA documents, and intellectual property.
BT, however, has downplayed the severity of the attack, insisting that the group is overstating the impact. “We identified an attempt to compromise our BT Conferencing platform,” a spokesperson said. “This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated.”
The company stressed that the affected servers did not support live conferencing services, which remain fully operational. “No other BT Group or customer services have been affected,” they added. “We’re continuing to actively investigate all aspects of this incident, and we’re working with the relevant regulatory and law enforcement bodies as part of our response.”
But Black Basta has continued to press its case, releasing folder listings and screenshots of hiring documents to back up its claims. The group has threatened to release the entire data trove next week unless BT pays the ransom, complete with a countdown timer on its dark web leak site.
Next steps
Although it emerged only in 2022, the Black Basta ransomware group has quickly established itself as one of the most formidable cybercriminal threats. According to the FBI and CISA, the group has already targeted over 500 organizations, amassing at least $100 million in ransom payments from more than 90 victims.
While Black Basta typically targets high-profile organizations (its victims include Hyundai Europe, Capita, and Yellow Pages) ransomware remains a widespread risk for businesses of all sizes. Last year, an estimated 72% of companies were affected by ransomware attacks, either directly or through supply chain disruptions.
Here are actionable steps to take to protect your company:
- Take care of the security basics: Prioritize cybersecurity basics such as multi-factor authentication, regular patching of software, vulnerability scanning, and implementing strong password policies.
- Cloud environments are a common weak spot: Cloud misconfigurations and poor access controls can turn your business into a sitting duck for attackers. Address these risks by training teams in secure cloud management and deploying automated tools to detect and prevent data exposure.
- Automate data protection for PII: Use AI-enhanced DLP to monitor and redact sensitive data in real-time, minimizing the potential for data theft even if attackers break into your systems.
- Cybersecurity starts with people: Human error is often the trigger for successful ransomware attacks. Implement human risk management (HRM) to help employees recognize and respond to potential threats in real-time.