- Reports say it’s unclear whether or not the US NatCo was aware of payments made to cybercriminals.
- Last year’s data breach affected nearly 55 million users.
T‑Mobile US reportedly, and possibly inadvertently, took somewhat extreme measures as part of efforts to stem the damage caused by a major data breach in August 2021, but the move apparently backfired and ended up costing the US operator around $200,000 (£153,000).
TMUS confirmed last year that customers’ personal information was stolen from its systems in yet another data breach at the NatCo, affecting nearly 55 million users.
At the time, a contrite TMUS Chief Executive Mike Sievert announced partnerships with US cybersecurity firm Mandiant and consulting firm KPMG to help the company clean up its security act. The partnerships are “part of a substantial multi-year investment to adopt best‑in‑class practices and transform our approach”, he said.
According to court documents unsealed this week and reviewed by Motherboard, which first reported the August incident, a third‑party specialist hired by TMUS tried to pay the hackers for exclusive access to the stolen data in order to mitigate the leak, reportedly using a site called RaidForums. The plan apparently failed, and the criminals continued to sell the data.
The Motherboard report said the court documents did not name the third party. It also noted that Mandiant did not respond to its request for comment on whether it was the third party that paid the cybercriminals.
Furthermore, TMUS has apparently not confirmed whether or not it was aware the third party it hired had paid cybercriminals to stop leaking the customer data.
The US Department of Justice (DoJ) announced this week that a coalition of international law enforcement agencies, led by the DoJ, had seized RaidForums, which it described as a popular marketplace for cybercriminals to buy and sell hacked data. The site’s founder, Diogo Santos Coelho from Portugal, was arrested in the UK on 31 January 2022 at the United States’ request. The DoJ said Coelho remains in custody pending the resolution of his extradition proceedings.
Motherboard noted that the affidavit supporting the request for Coelho’s extradition includes a section describing a particular set of data that was advertised on RaidForums in August 2021 under the user name ‘SubVirt’. This was the user that was apparently contacted by the third party in an attempt to buy back the leaked TMUS data. The document does not name the ‘victim company’ that hired the third party, instead referring to it as ‘Company 3’. According to Motherboard’s investigations, ‘Company 3’ was TMUS.