T-Mobile Secretly Bought Its Customer Data From Hackers To Stop Leak. It Failed

An anonymous reader quotes a report from Motherboard: Last year, T-Mobile confirmed it was breached after hackers offered to sell the personal data of 30 million of its customers for 6 bitcoin worth around $270,000 at the time. According to court documents unsealed today and reviewed by Motherboard, a third-party hired by T-Mobile tried to pay the hackers for exclusive access to that data and limit it from leaking more widely. The plan ultimately failed, and the criminals continued to sell the data despite the third-party giving them a total of $200,000. But the news unearths some of the controversial tactics that might be used by companies as they respond to data breaches, either to mitigate the leak of stolen information or in an attempt to identify who has breached their networks.

On Tuesday, the Department of Justice unsealed an indictment against Diogo Santos Coelho, who it alleges is the administrator of a popular hacking site called RaidForums. Law enforcement also uploaded a banner to the RaidForums site announcing they had taken over its domain. Coelho was arrested in the United Kingdom in March. Included in the affidavit in support of request for his extradition to the United States is a section describing a particular set of data that was advertised on RaidForums in August. [...] The document does not name the victim company, instead referring to it as Company 3, but says another post confirmed that the data belonging to "a major telecommunications company and wireless network operator that provides services in the United States.

The document goes on to say that this company "hired a third-party to purchase exclusive access to the database to prevent it being sold to criminals." An employee of this third-party posed as a potential buyer and used the RaidForums' administrator's middleman service to buy a sample of the data for $50,000 in Bitcoin, the document reads. That employee then purchased the entire database for around $150,000, with the caveat that SubVirt would delete their copy of the data, it adds. The purpose of the deletion would be that this undercover customer would be the only one with a copy of the stolen information, greatly limiting the chance of it leaking out further. That's not what happened. The document says that "it appears the co-conspirators continued to attempt to sell the databases after the third-party's purchase." Company 3, the unnamed telecommunications firm that hired this third-party, was T-Mobile, according to Motherboard's review of the timeline and information included in the court records. The third-party that paid cybercriminals $200,000 may have been Mandiant, though the security company has yet to confirm with Motherboard. In March, Mandiant announced it was being acquired by Google.

T-Mobile hack?

[smittyoneeach]

T-Mobile hack?
Get data back!
Unlike whiskers,
No return stack.
Burma Shave

Re:T-Mobile hack?

[Brain-Fu]

Time for a security audit. Show "due diligence" or send the execs to jail.

(For purposes of brevity, "due diligence" shall not be defined in this post.)

Re:

[AmiMoJo]

I've noticed that companies already started doing this to cover the C level arses.

They get an external audit from a company they can rely on to pass whatever joke passes for their IT system, and then when it gets hacked they get a security firm in to write a report saying it was an sophisticated zero day hack that couldn't have been prevented.

Seriously?

[hdyoung]

They tried to buy their data back from a criminal group? What a case of the dumb fleecing the dumber.

Re:Seriously?

[saloomy]

Businesses affected by ransomware and data exfiltration spend a lot of money trying to regain their data or mitigate damage to them and their customers. I have often thought what if it were made illegal to send ransomware gangs money, but that would just leave the business with even fewer options. Often times, the data is business vital. There are no good options beyond out-of-band backup and disaster recovery processes.

Re:

[hdyoung]

Ive hears very few stories of businesses that successfully bought off the criminals. As in, none. On the other hand, Ive heard plenty of stories of companies paying ransomware gangs, only to be given a key that decrypts so slowly that the company just cuts its losses and restores the conventional way, or a key that simply doesnt work at all. And, apparently, companies that pay to ransom their data back get to watch it seep into the darkweb anyway.

Its almost like there’s no honor among thieves.

Re:Seriously?

[farble1670]

Businesses affected by ransomware and data exfiltration spend a lot of money trying to regain their data or mitigate damage to them and their customers.

Not as much as it costs to fix their security. Which is why it keeps happening. Fixing their infrastructure could be a 8-digit ongoing expense. $200k seems like a bargain. In fact, they probably knew they were likely to be scammed but at that price it's worth the risk. Not much ventured, nothing gained.

I have often thought what if it were made illegal to send ransomware gangs money, but that would just leave the business with even fewer options.

I think we just need to make the fines for leaking user data more than it cost of good security. I'm sure there is an army of lobbyist trying to prevent that however.

Re: Seriously?

[ComputerKarate]

There is a third option. A bounty program for the identities of the criminals.

Re: Seriously?

[saloomy]

The criminals are often not in your jurisdiction and when they pay off or bribe local police and politicians, knowing who they are will not get you very far.

Re: Seriously?

[ComputerKarate]

Identity != Arrest

Re:

[Kisai]

No honor among thieves.

Your data leaked? Fix the leak.
Your data still being out in the wild? Use your 900lb-gorilla powers to get law enforcement to shut it down.

If only small companies had the leverage to get criminal websites hiding behind cloudflare to shutdown.

trusting a criminal? NOOB!

[v1]

And this is why you don't negotiate with anyone trying to extort you. Despite whatever they say, you're just paying them not to release your data for a limited time, until they decide it's time for you to make another payment.

It only stops when you stop paying them. At best, you've just paid for some time to do some damage control in preparation for the eventual publication of the information.

And even if they DO appear to have honored the agreement, years later it can still be weighing on your nerves. The anxiety of not really knowing for sure if they're going to come back for more, or just plain release it for the lols. Rip the band-aid off, get it over with. You'll sleep better, and not have paid for the privilege of getting tortured over it.

Re:

[narcc]

It only stops when you stop paying them.

Or until the the bad actors are caught. Bitcoin is far from anonymous, after all.

Re: trusting a criminal? NOOB!

[RegistrationIsDumb83]

True, maybe the real reason they were paid is so law enforcement would have a trail of coins to follow. After all, I can't see TMobile paying to protect its users privacy, lol

Re:

[rickb928]

You could do that by agreeing and then paying out .00001bc. Though when they offer you the destination, do you need to pay anything at all?

Re:

[rickb928]

It often takes longer to catch them than it does to refuse the offer and recover.

And the policy of no negotiations is, for me, the only responsible way. Paying for it risks paying again and again, and getting nothing in the end.

Who can you trust

[belthize]

Shocked, absolutely astounded that a group of people willing to commit multiple felonies failed to honor a verbal agreement not to make more money off of T-Mobile's stupidity.

Hmmmm

[JustAnotherOldGuy]

It seems like most stories involving Bitcoin (and cryptocurrencies in general) are tales of woe.

Rarely do we hear the "he made a bundle and retired to a private island" story, but it's like there's daily stories of hacks and "rug pulls" and all sorts of other events where people get ripped off.

Re:

[redback]

because it doesn't generate money by doing useful work.

it only generates money by other people losing it.

No advantage

[NotEmmanuelGoldstein]

... that SubVirt would delete their copy ...

The claims of "always a criminal" may be true, and certainly are in this case. Nevertheless, even criminals need to be honest. This is why the oxymoron of "decent criminal" exists, if your customers don't trust you, you can't do 'honest' business. Future victims now know there is no possible cover-up, no buying time: There's no advantage to doing business with this criminal.

Criminals have no honor

[gweihir]

This just confirms it. Take your losses, improve your security, but do not pay the assholes.

Re:

[rickb928]

Hey, as a customer, I assume my data is going to be 'lost' some day. Let's just get over the illusion of security now and prepare for the aftermath.

Negligent

[oldgraybeard]

and Naive

will they be charged

[gTsiros]

for being complicit in it?

RaidForums was a third-party reseller

[laughingskeptic]

T-Mobile wasn't even dealing with the original thieves, just one of potentially many middle-men that were attempting to re-sell the data. I don't see how they thought this was going to help themselves or their customers and suspect they were not all that well informed. There are consulting companies that pay Russians to be kept abreast of these leaks and then turn around and offer services to victim companies. I would guess T-Mobile was approached by one of these consultants and turned them down ... they