ShinyHunters adds Charter to trophy shelf after 4.9 million customer records leak

What happened

The extortion gang ShinyHunters posted a dump of 4.9 million Charter Communications customer records on its public leak site. The data set, verified by the Have I Been Pwned database, contains names, email addresses, telephone numbers and physical mailing addresses. A smaller slice – about 85 000 rows – originates from an internal staff directory and includes job titles.

The gang had previously claimed to hold more than 42 million records belonging to Charter’s consumer and business customers. After a deadline of 27 May 2026 passed without payment, the criminals updated the posting with a taunt, indicating that the data would be released regardless of the company’s response.

Legal basis for the response

• General Data Protection Regulation (GDPR) – Although Charter is a US‑based entity, it processes personal data of EU residents through its Spectrum service. GDPR Art. 33 obliges controllers to notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals. Art. 34 requires direct communication to affected data subjects when the breach is likely to cause high‑risk harm.
• California Consumer Privacy Act (CCPA) / CPRA – Charter serves millions of California residents. Under CCPA, a breach that exposes personal information triggers a mandatory notice to the California Attorney General if more than 500 California residents are affected, and a private right of action is available if the breach results from the company’s failure to implement reasonable security measures (Cal. Civ. Code § 1798.150).
• Telecommunications Consumer Protection Act (TCPA) and Customer Proprietary Network Information (CPNI) rules – The Federal Communications Commission (FCC) requires telcos to protect CPNI and to report breaches that involve “customer proprietary network information” to the FCC and affected customers within 30 days (47 C.F.R. § 64.1202).
• State breach‑notification statutes – More than 40 US states have laws mandating prompt notice to residents whose personal data is compromised. Most of these statutes define “personal information” as name, address, telephone number or email, exactly the data now public.

Impact on users and the company

• For customers – The exposed data is a low‑level credential set, but it is sufficient for phishing, credential‑stuffing attacks and targeted social engineering. A study by the Identity Theft Resource Center shows that 71 % of victims of data‑leak‑derived scams experience financial loss within six months.
• For Charter – The company’s statement that “no sensitive personal information or CPNI was exfiltrated” does not shield it from regulatory liability. GDPR and CCPA focus on the type of data, not on whether it is classified as “sensitive.” The breach therefore triggers mandatory notifications, potential fines of up to €20 million or 4 % of global turnover under GDPR, and up to $7,500 per California resident under CCPA for each negligent violation.
• For partners and third‑party vendors – Any service provider that processes Charter data must assess whether it is a processor under GDPR. Processors share liability for inadequate security, meaning cloud hosts, billing platforms and analytics services could also face enforcement.

What changes are required

1. Immediate breach notification
   • Notify the UK Information Commissioner’s Office (ICO) and any other EU supervisory authority where EU resident data is involved, citing the exact categories of data and the number of affected individuals.
   • File a breach report with the FCC and the California Attorney General within the statutory windows.
2. Risk assessment and mitigation
   • Conduct a forensic investigation to confirm the scope of the breach, identify the attack vector (likely credential theft or mis‑configured cloud storage) and isolate compromised assets.
   • Offer free credit‑monitoring or identity‑theft protection to affected US and EU customers, as recommended by the FTC and GDPR guidance.
3. Review and harden security controls
   • Enforce multi‑factor authentication (MFA) for all internal and privileged accounts.
   • Adopt encryption‑at‑rest for all personally identifiable information (PII) stored in databases and backups, as required by both GDPR Art. 32 and CCPA’s “reasonable security” standard.
   • Conduct regular penetration testing and red‑team exercises focused on supply‑chain and insider‑threat scenarios.
4. Update contracts and data‑processing agreements
   • Ensure that all third‑party contracts contain GDPR‑compliant data‑processing clauses, including obligations for breach notification and audit rights.
   • Add CCPA‑specific clauses that address “contractual obligations to implement reasonable security procedures.”
5. Governance and training
   • Appoint a Data Protection Officer (DPO) if not already in place, to oversee GDPR compliance and act as the point of contact for supervisory authorities.
   • Roll out mandatory privacy‑security training for all staff handling customer data, emphasizing phishing awareness and the proper handling of employee directories.

Broader implications

The Charter breach underscores a growing trend: extortion groups like ShinyHunters are shifting from ransomware to pure data‑theft‑for‑sale operations, because the market for personal data remains lucrative. For regulators, the case illustrates why privacy laws are moving toward outcome‑based enforcement – fines are tied to the actual harm caused, not merely the volume of data stolen.

For consumers, the lesson is clear: even “non‑sensitive” data can be weaponised. Vigilance, strong passwords and the use of password managers are essential defenses.

What to watch next

• The FCC’s forthcoming guidance on CPNI breach reporting, expected in Q3 2026, may tighten notification timelines.
• The European Data Protection Board is reviewing whether “publicly posted” data breaches should be treated as high‑risk under GDPR Art. 33, which could raise the penalty ceiling for similar incidents.

Charter’s handling of this breach will likely become a benchmark case for how US telecoms respond to cross‑border privacy violations. The company’s next steps will be scrutinized by regulators, consumer‑advocacy groups and, of course, the millions of customers now staring at their inboxes for a phishing email that never should have existed.