The Metropolitan Opera Admits Data Breach After Snatch Extortion

The Metropolitan Opera (Met) has admitted that threat actors have stolen the financial and personal details of thousands of employees and visitors, following the extortion by the Snatch ransomware gang.

In a filing submitted to the Office of the Maine Attorney General, the New York-based opera company informs that roughly 45,000 people have been impacted by the security incident.

The sample of the notice uploaded on the government portal explains that the cyberattack occurred on December 6, 2022, with Met responding immediately and engaging a team of third-party specialists to contain the suspicious activity.

Two days later, the firm informed the public of the cyberattack, which had severely impacted its systems, causing service outages to its website, box office, and call center.

The Met has experienced a cyberattack that has temporarily impacted our network systems, which include our website, box office, and call center. All performances will take place as scheduled. (1/3) pic.twitter.com/inZCSPSyoX

— Metropolitan Opera (@MetOpera) December 7, 2022

As disclosed by the notice sent to impacted individuals now, Met’s internal investigation revealed that hackers breached its network on September 30, 2022, having ample time to exfiltrate sensitive data from its systems.

Unfortunately, the information that has been stolen from Met includes the following data types of visitors and employees of the opera:

• Full name
• Financial account information
• Tax identification number
• Social Security number
• Payment card information
• Driver’s license number

While the breach affected a total of 45,000 individuals, the extent of exposed data varies for each person, depending on the specific information they provided to Met.

In response to the incident, Met will cover the cost of twelve months of credit monitoring services through Kroll for all individuals whose personal information was affected by this security incident.

Snatch Ransomware

Responsibility for the attack on Met was assumed by the Snatch ransomware group, who posted the organization on their extortion and data leak site on the dark web on March 1, 2023.

Snatch is a moderately-active ransomware operation that has been active since mid-2018, having listed over 70 victims to date on their extortion portal, including high-profile firms like Volvo Cars, TUI UK, McDonald’s, and the TCL Chinese Theaters.

A Sophos analysis of the ransomware strain showed that the malware forces a restart on the victim’s machine to boot on Safe Mode, where security software won’t run, allowing the encryptor to execute unobstructed.

An interesting detail in the recent attack is that Snatch has removed the Met entry from its extortion site, which usually indicates that the victim has paid the ransom or requested more time to negotiate. However, neither scenario has been confirmed by the company yet.

RestorePrivacy has contacted the Metropolitan Opera with more questions on the matter, but we have not received any clarifications at the time of publishing.