.png)
Frontier Communications Ransomware 2024: 750K Customers, RansomHub
Breach Summary
The Frontier Communications ransomware attack of April 2024 disrupted operations at one of the largest US internet service providers, with the RansomHub ransomware group stealing sensitive data on approximately 750,000 customers including Social Security numbers. The attack demonstrated that internet infrastructure companies are high-value ransomware targets whose compromise can have cascading effects on the customers and businesses that depend on their connectivity services.
What Happened
Frontier Communications disclosed the ransomware attack in April 2024 after detecting the intrusion and taking systems offline. The company notified the SEC under the new cybersecurity disclosure rules. RansomHub claimed responsibility and published stolen data when Frontier did not pay. The FCC opened an investigation into the breach. Frontier disclosed in June 2024 that approximately 750,000 customers had their information stolen, including Social Security numbers, in addition to other PII.
Attack Vector Detail
RansomHub, a ransomware-as-a-service group that emerged in early 2024 and absorbed former ALPHV affiliates after BlackCat's exit scam, claimed the Frontier attack. The group exfiltrated data including customer names, addresses, Social Security numbers, and other personally identifiable information before Frontier detected the intrusion. Frontier took systems offline as a containment measure, disrupting some operational systems. RansomHub published the stolen data when ransom demands were not met.
Breach Pattern Timeline
April 14, 2024
Frontier Communications — major U.S. telecommunications and broadband provider — detects unauthorized access to its IT systems. Activates incident response.
April 14-17, 2024
Frontier takes some systems offline as containment measure. Customer-facing portals and some business operations briefly disrupted.
April 18, 2024
Frontier 8-K SEC filing discloses cyber incident. Confirms unauthorized access and data theft. Stock declines.
April 22, 2024
RansomHub ransomware-as-a-service group claims responsibility. RansomHub had emerged in early 2024 as the successor brand for many former ALPHV/BlackCat affiliates after that group's exit scam following Change Healthcare.
June 6, 2024
Frontier confirms data breach affecting ~750,000 customers. Personal information including names, dates of birth, and Social Security numbers exposed.
June 10-30, 2024
Frontier sends notifications to affected customers. Provides free credit monitoring. Class action lawsuits filed.
September 2024
Frontier emerges from cyber incident having implemented enhanced security measures. Ongoing class action consolidation in federal court.
2024-2026
Frontier-RansomHub case becomes part of broader pattern of RansomHub strikes against telecommunications and infrastructure providers. RansomHub becomes the most active ransomware brand in late 2024 / 2025 following ALPHV/BlackCat collapse.
Total impact: ~750,000 customers affected (PII including SSNs), foundational precedent for RansomHub successor brand operations following ALPHV/BlackCat collapse and telecom sector ransomware exposure.
Executive Lessons
The Frontier breach illustrated the emergence of RansomHub as the dominant ransomware platform following ALPHV's collapse — demonstrating that the affiliate ecosystem migrates rather than dissolves when law enforcement disrupts major operators. Frontier's FCC regulatory exposure added a sector-specific dimension to the breach response that telecommunications organizations must prepare for.
Related Reading
Private Equity Implications
For PE sponsors with telecommunications, cable, or internet service portfolio companies, the Frontier breach illustrates that customer identity data collected for service provisioning — SSNs, credit checks, identity verification — creates ransomware liability proportionate to the sensitivity of that data. Regulatory exposure from FCC, FTC, and state attorneys general adds a distinct liability dimension beyond class action exposure for telecom breaches involving customer PII.
How Cloudskope Can Help
Frequently Asked Questions
What was the Frontier Communications RansomHub attack?
In April 2024, Frontier Communications detected unauthorized access to its IT systems. The RansomHub ransomware group claimed responsibility and threatened to publish stolen data unless Frontier paid a ransom. Frontier disclosed the incident on Form 8-K, reflecting SEC cybersecurity disclosure rule compliance, and confirmed customer data exposure for approximately 750,000 customers.
Who is RansomHub?
RansomHub is a ransomware-as-a-service operation that emerged in February 2024 and rapidly became one of the most active ransomware groups of 2024. The group recruited former affiliates from ALPHV/BlackCat and LockBit following law enforcement disruption of those operations, inheriting both technical capability and victim relationships. RansomHub is operated primarily by Russian-speaking operators.
What data was exposed in the Frontier breach?
Exposed data included customer names, dates of birth, Social Security numbers, and contact information for approximately 750,000 Frontier customers. The data exposure created significant identity theft risk for affected customers and required Frontier to provide credit monitoring services.
Did Frontier pay the ransom?
Frontier did not confirm payment of any ransom to RansomHub. After the deadline passed, RansomHub published portions of the stolen data on its leak site, consistent with the pay-or-leak pattern when ransom is not paid.
What did Frontier establish for telecom ransomware?
The Frontier attack reinforced that telecommunications providers are high-value ransomware targets due to their operational criticality, customer data holdings, and SEC public-company disclosure obligations. For telecom executives, the implication is that ransomware defense — particularly credential security, segmentation, and backup integrity — is a board-level operational continuity requirement.