An off-record attempt to buy customer data back from thieves failed after the T-Mobile hack of late 2021, leaving it circulating on underground forums. The hackers got away with at least 30 million files, some containing very sensitive information, which T-Mobile attempted to recover via a $200,000 payment arranged through an unknown third party contractor.
Mobile carrier’s customer data remains available, some records may include SSNs
After the August 2021 T-Mobile hack, which saw at least 50 million records exposed to the attackers, the stolen customer data appeared for sale on an underground site called RaidForums. The site has since been taken down by an international law enforcement effort, but there was a window of about seven to eight months during which the customer data was made available there.
The initial seller was offering about 30 million records from the T-Mobile hack, information on almost 1/3 of the company’s active customers and almost half of those with postpaid plans that would require presenting sensitive personal information to activate (such as a Social Security number). They were asking six bitcoin for the collection, or about $270,000.
Failure to recover data from T-Mobile hack creates continuing risk for customers
The T-Mobile hack was confirmed by the company shortly after it happened last year, but it has never been entirely clear exactly how much sensitive customer data got out or exactly where it got to. We now know that T-Mobile’s internal attempts to corral it failed, as payments totalling $200,000 made to the RaidForums seller did not have the intended effect. The seller continued to offer the customer data via these underground postings for some time after the dates on which the payments were made.
The information about all of this comes to us from unsealed court records. The records do not directly identify the parties involved, but it is clear that the “wireless carrier” they refer to is T-Mobile given the breach details. T-Mobile also engaged an unnamed cybersecurity partner to carry out the payments to the RaidForums seller, the identity of which has been given over to much speculation due to the company’s relationship with security giant Mandiant (established immediately in the wake of this breach). The contractor apparently first made a payment of $50,000 to buy a sample of the data to verify it, then paid an additional $150,000 for an agreement that it would be taken down and deleted. It is unclear if T-Mobile was aware that the contractor attempted to buy the customer data back.
The incident will certainly not inspire any fresh confidence in T-Mobile’s security record, which has taken a serious hit in recent years with a string of data breaches dating back to 2016. Security advocates have called for T-Mobile and other companies that handle sensitive customer data to respond to the new world of cybersecurity risks by implementing more thorough encryption throughout their internal systems.