T-Mobile retail shop showing T-Mobile hack and stolen customer data

Secret Attempt to “Buy Back” Customer Data From T-Mobile Hack Failed, Criminals Sold Information in Spite of $200,000 Payment

An August 2021 breach of T-Mobile led to the theft of the personal data of tens of millions of customers. Newly unsealed court documents indicate that T-Mobile unsuccessfully tried to buy the customer data back from the hackers. The company arranged a payment of $200,000 through a third party, but personal data from the T-Mobile hack was subsequently seen for sale on dark net forums after the fact.

T-Mobile hackers took the money and ran

The T-Mobile hack was disclosed to the public shortly after it happened in August. John Brinns, a 21 year old self-professed hacker, also publicly claimed responsibility for the attack and provided the media with details about how it was done. The breach included highly sensitive customer data such as Social Security numbers, driver’s license numbers, subscriber IMEI and IMSI numbers, and even information on former customers and prospects that had shown interest in the company’s mobile service.

Binns, who resides in Turkey, indicated in interviews that he worked with others on the T-Mobile hack but did not name partners. It appears that T-Mobile went undercover in an attempt to engage with these other parties and buy back the stolen customer data before it could hit the black market.

The hackers had been offering the customer data for sale in a collection of 30 million files for six bitcoin, worth about $270,000 at the time. The court documents did not name the third party that T-Mobile engaged, but in the wake of the breach the telecoms giant indicated that it had retained prominent cybersecurity firm Mandiant (recently acquired by Google for $5.4 billion) in a multi-year agreement. Mandiant has not responded to requests for comment on the issue, and T-Mobile has not commented on whether or not it was aware a payment for the customer data had been made.

The court documents indicate that around August 11, a posting on the underground forum RaidForums listed the spoils of the T-Mobile hack for sale. The third party that T-Mobile engaged first purchased a sample of the data for $50,000 in bitcoin to verify its authenticity, then made an additional payment of $150,000 to purchase the entirety of the customer data while also securing an agreement that the hacker would delete it after the funds were received. Trusting the anonymous hacker turned out to be an unwise move, as the customer data resurfaced for sale several times after the payment was made.

Stolen customer data still at large

The Department of Justice has filed charges against a Diogo Santos Coelho, alleged administrator and founder of RaidForums. The forum was taken down in early April by a combination of US and European law enforcement agencies and is now in the hands of the DOJ. Nevertheless, the T-Mobile hack data has likely spread to other places by now.

It is unclear how many of the 54 million records stolen in the T-Mobile hack belonged to former customers and prospects; the 30 million records offered for sale by RaidForums and other criminal sources may have been pared down to those that contained sensitive customer data useful to those looking to commit fraud. T-Mobile currently has about 104 million active customers, 84 million of which are postpaid subscribers that generally have to provide a Social Security number for a credit check prior to establishing service.

T-Mobile has established something of a negative cybersecurity history, dating back to before this recent loss of a major chunk of customer data. The company had at least half a dozen data breaches between 2016 and 2020, with some sort of incident of this nature almost becoming an annual occurrence since then. And these breaches are separate issues from a seemingly unique vulnerability to SIM-swapping attacks, which the company has faced a number of individual lawsuits about as employees authorized transfers of phone numbers that should have been caught. These phone attacks have largely been targeted at victims known to hold substantial cryptocurrency wallets tied to the phone number, as attackers seek the means to bypass two-factor authentication and reset passwords.

In 2016 a rogue employee in the Czech Republic made off with the data of 1.5 million customers, which appeared for sale at least briefly in the criminal underground. This was followed in 2018 by a breach of the contact information of about two million customers. There were two incidents in 2019, collectively exposing contact and account data for over a million customers. And there were two incidents in 2020, one of which began with an attack on the company’s email vendor.

Gary Ogasawara, CTO of Cloudian, sees the central remedy to this chain of lapses in security as a company policy of more thorough encryption practices, along with stronger defenses against ransomware attempts: “The recent uncovering of the T-Mobile hack and the company’s attempts to retrieve its data is the latest example of why organizations should encrypt sensitive data both in-flight and at rest. Encryption prevents hackers from reading or making data public in any intelligible way, thereby eliminating the need to pay ransom to keep the data from being exploited … Our 2021 ransomware survey found that only 57% of organizations that experienced a ransomware attack and paid the ransom got all their data back. That’s why it’s essential that organizations have an immutable (unchangeable) backup copy of their data as part of their overall cybersecurity strategy. Immutability prevents cybercriminals from altering or deleting data, ensuring the ability to quickly recover the unchanged backup data without paying the ransom.”