In a significant cybersecurity incident, iHeartMedia, America’s largest radio station owner, disclosed a data breach that occurred during the final days of 2024.
Between December 24 and 27, unauthorized actors infiltrated systems at several local stations, accessing a trove of highly sensitive personal information. This included Social Security numbers, tax identification data, driver’s licenses, passport numbers, financial account details, and even health insurance information.
The breach was not publicly disclosed until April 2025, following a months-long investigation assisted by external cybersecurity experts.
Despite confirming the nature and timeline of the breach, iHeartMedia has declined to reveal how many individuals were affected, and state filing documents left that field conspicuously blank. Notifications to affected parties began on April 30, 2025, with the company offering free identity protection services in an effort to limit the potential fallout.
Why It Matters: This incident is yet another reminder that even industry giants with vast media infrastructure are vulnerable to sophisticated cyberattacks. The breadth and sensitivity of the data accessed increase the risk of long-term identity theft, financial fraud, and targeted cyber scams. Moreover, the attack’s timing, during a holiday lull, illustrates how threat actors exploit predictable patterns in organizational vigilance.
- Timeline and Detection: The breach occurred over the Christmas holiday (Dec 24–27, 2024), a period often marked by reduced staffing and slower response times. iHeartMedia said it quickly identified “unusual activity” and implemented containment measures. Its internal investigation concluded on April 11, 2025, more than three months after the intrusion.
- Scope of Stolen Data: The attack exposed a wide spectrum of personally identifiable information, including names, Social Security numbers, driver’s license and passport numbers, tax ID details, financial account and payment card data, and health and insurance information. Such a combination makes the victims especially vulnerable to fraud and targeted attacks.
- Response and Notification: iHeartMedia brought in a third-party cybersecurity firm and informed law enforcement agencies shortly after the breach. Official victim notifications began on April 30, offering impacted individuals 12 months of free identity theft protection and credit monitoring services, alongside a helpline for inquiries.
- Lack of Clarity on Victim Count: The company submitted breach notifications to states including Maine, Massachusetts, and California, but declined to specify the number of individuals or stations affected. This omission has raised concerns about transparency and the true scale of the breach.
- Industry and Security Implications: The breach follows similar incidents at other media and entertainment companies. These events underscore the need for enhanced cybersecurity resilience across the broadcasting sector, which handles large volumes of employee and consumer data and is increasingly becoming a target for criminal exploitation.
Go Deeper -> Multiple iHeartRadio stations breached in December – The Record
Several iHeartRadio stations hacked, customer and employee data stolen – Tech Radar
iHeartMedia breach exposes sensitive personal data – SC Media
