T-Mobile Secretly Bought Its Customer Data From Hackers To Stop Leak. It Failed
An anonymous reader quotes a report from Motherboard: Last year, T-Mobile confirmed it was breached after hackers offered to sell the personal data of 30 million of its customers for 6 bitcoin worth around $270,000 at the time. According to court documents unsealed today and reviewed by Motherboard, a third-party hired by T-Mobile tried to pay the hackers for exclusive access to that data and limit it from leaking more widely. The plan ultimately failed, and the criminals continued to sell the data despite the third-party giving them a total of $200,000. But the news unearths some of the controversial tactics that might be used by companies as they respond to data breaches, either to mitigate the leak of stolen information or in an attempt to identify who has breached their networks. On Tuesday, the Department of Justice unsealed an indictment against Diogo Santos Coelho, who it alleges is the administrator of a popular hacking site called RaidForums. Law enforcement also uploaded a banner to the RaidForums site announcing they had taken over its domain. Coelho was arrested in the United Kingdom in March. Included in the affidavit in support of request for his extradition to the United States is a section describing a particular set of data that was advertised on RaidForums in August. [...] The document does not name the victim company, instead referring to it as Company 3, but says another post confirmed that the data belonging to "a major telecommunications company and wireless network operator that provides services in the United States. The document goes on to say that this company "hired a third-party to purchase exclusive access to the database to prevent it being sold to criminals." An employee of this third-party posed as a potential buyer and used the RaidForums' administrator's middleman service to buy a sample of the data for $50,000 in Bitcoin, the document reads. That employee then purchased the entire database for around $150,000, with the caveat that SubVirt would delete their copy of the data, it adds. The purpose of the deletion would be that this undercover customer would be the only one with a copy of the stolen information, greatly limiting the chance of it leaking out further. That's not what happened. The document says that "it appears the co-conspirators continued to attempt to sell the databases after the third-party's purchase." Company 3, the unnamed telecommunications firm that hired this third-party, was T-Mobile, according to Motherboard's review of the timeline and information included in the court records. The third-party that paid cybercriminals $200,000 may have been Mandiant, though the security company has yet to confirm with Motherboard. In March, Mandiant announced it was being acquired by Google.
Read more of this story at Slashdot.