While the plan ultimately failed, the report focuses on the sometimes controversial tactics that companies use to respond to data breaches, and offers insight into a process that is otherwise kept quiet.
What Happened in 2021
Last year, T-Mobile said that over 40 million customers’ data was stolen. At the time, speculation as to how many customers were affected ranged from 30 to 100 million. T-Mobile later confirmed that stolen records included some subsets of PII (Personal Identifiable Information) such as names, ID numbers, dates of birth, and social security information. It was confirmed that account numbers, phone numbers, PINs, passwords, and payment information were not compromised.
Indictment Against RaidForums Admin Unsealed Tuesday
The Department of Justice unsealed an indictment against Diogo Santos Coelho, the administrator and middleman of a high-profile hacking portal known as RaidForums, where the T-Mobile customer data was held. He was arrested last month in March, while the portal was also shut down yesterday, Motherboard added. He has been charged with access device fraud, aggravated identity theft, and conspiracy. Court documents continued to reveal that the hacked data was posted to be sold on RaidForums by a user hiding under the moniker “SubVirt,” Motherboard said. The thread on RaidForums did not explicitly name T-Mobile, but referred to it as “Company 3.” Another post, however, revealed that the data did indeed belong to a major telecom and wireless network operator in the U.S. The data included SSNs (Social Security Numbers) and was being sold under the titles “SELLING-124M-U-S-A-SSN-DOB-DL-database-freshly-breached,” as well as “SELLING 30M SSN + DL + DOB database,” court documents revealed.
Third-Party Posed as Potential Buyer
The court documents continued to say that an unnamed undercover third-party potential buyer first bought a sample of the T-Mobile stolen data for $50,000 in Bitcoin cryptocurrency, then subsequently bought the entire package for $150,000 with the condition that “SubVirt” would delete his copy of the data. “The purpose of the deletion would be that this undercover customer would be the only one with a copy of the stolen information, greatly limiting the chance of it leaking out further,” Motherboard added. However, the hacker did not hold up his end of the deal because “conspirators continued to attempt to sell the databases after the third-party’s purchase,” the court documents said. Now, documents confirm that Motherboard spoke to “SubVirt” last year and confirmed that the user had data including SSNs and that “the hacker had accurate information on T-Mobile customers.” A day later, T-Mobile confirmed the breach.
Mandiant May Have Helped T-Mobile
A previous statement from CEO of T-Mobile Mike Sievert in August 2021 confirmed that the investigation was “supported by world-class security experts from Mandiant from the very beginning,” Motherboard wrote. As a result, T-Mobile knew exactly how the “bad actor” gained illegal access to their servers, after which they closed the affected access points and ensured customers there was no longer an ongoing risk. Whether Mandiant was the “third party” in question or not has not been explicitly stated. After all, organizations do not have any qualms concerning hiring threat intelligence or incident response firms like Mandiant — now acquired by Google LLC — after high-profile data breaches “to discover how exactly they were breached and to take mitigation steps against any further exposure,” Motherboard emphasized.
Controversial Defense Tactics
Organizations sometimes deploy “controversial tactics” like taking an offensive stance and hacking the perpetrator back, Motherboard said. This can include breaching command and control servers (CnC) or other servers to confirm what data was stolen, as well as interfering with hacker infrastructure or combing for information about the identities of the hackers. For instance, news released this February showed that the LAPSUS$ hacking group’s Nvidia operation was met with an offensive response from Nvidia in the form of a revenge cyberattack, Motherboard added. Data breaches continue to be a serious issue for large organizations. Oftentimes cloud services are left misconfigured due to unsecured AWS S3 buckets exposing the personal details of an organization’s customers to those that want to steal them. For more information about how criminals orchestrate identity theft and what you can do about it, check out our in-depth guide about identity theft. If you are an employer, it would be invaluable for you to check out our full guide on managed security service providers.
