Following a hack last year, US operator T-Mobile apparently tried to buy back the stolen data, a move which backfired as the data remained on sale nonetheless.

Having had the personal data of 30 million customers hacked last year, T-Mobile used a third party to contact and pay the hackers a $200,000 to stop it leaking – however they just sold it anyway, according to Vice’s tech arm Motherboard.

The data was apparently being sold on RaidForums, which seems to be some sort of online pirate’s bay where hackers and criminals meet to trade in such things as stolen data. Yesterday the US Department of Justice unsealed an indictment (as in made it public) against Diogo Santos Coelho, who it says is the administrator of the site, and announced they had taken over its domain. Coelho was arrested in the UK in March and there is a request for his extradition to the US.

The DoJ report, the release of which is how we know all this happened, says: “On or about August 11, 2021, an individual using the moniker ‘SubVirt’ posted on the RaidForums website an offer to sell recently hacked data with the following title: ‘SELLING-124M-U-S-A-SSN-DOB-DL-database-freshly-breached.’”

The story goes that T-Mobile “hired a third-party to purchase exclusive access to the database to prevent it being sold to criminals.” Posing as a potential buyer, this third party went to RaidForums and purchased first a sample then the entire database for around $200,000, with the caveat that SubVirt would delete their copy of the data. The document says: “it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase.”

There are more details on the specifics in the article by Vice, which apparently went so far down the investigative journalist route as to get a hold of some of the data itself: “At the time Motherboard spoke to the person selling the data including SSNs and obtained samples of the data which confirmed the hacker had accurate information on T-Mobile customers,” says the report. “T-Mobile provided a statement at the time saying it was investigating the hack against its company. A day later, T-Mobile confirmed it had been breached.”

It’s worth pointing out this is slightly different from a straight up reneged upon ransom situation, in that the ‘third party’ was presumably pretending to be another criminal buying the data for scams of its own. It’s not clear, but it sounds like this situation came to light because the seller reneged on the deal, prompting some sort of legal swoop which then has to be made public. You have to wonder how often firms are buying back stolen data on these illegal sites in the way described above, since we might never know about it if all goes to plan.

Is it a dodgy move by corporations to engage in this sort of covert ops? It’s hard to definitively say what the right thing to do is  – assuming a firm has done its due diligence in terms of its own security, you can’t blame them for being hacked. And maybe it’s a responsible stance to do whatever is needed to stop its customers data being leaked more widely once it has.

The counter argument being the ‘don’t negotiate with terrorists’ line, that implies doing so could encourage more hacks in the future. Whether a seller of hacked information knows it is the owner buying it back or not, if it turned out to be a lucrative little venture for them even if they didn’t renege on the deal, they might be emboldened to have a crack at another firm. Or just hit the same one again. The cyber arms race continues to escalate.

Get the latest news straight to your inbox. Register for the Telecoms.com newsletter here.