I feel like… they just shut themselves down and claimed it was hackers so they can continue to surveille high value targets without any official connection to them.
They may think that they can get more value from their spy network via darker means.
> “The breach consisted of unauthorized access to the LetMeSpy website’s database, downloading and at the same time deleting data from the website by the author of the attack,” the notice reads.
"Good guys" don't usually download large amounts of potentially incriminating information about the people they are supposedly "saving".
Hm. There are several reasons for this I can come up assuming good intent. You could shuffle this data towards security researchers or the police to identify and notify affected people. It could also contain information which enables or simplifies secondary attacks against the service. Or it could contain data allowing to attack other related groups.
All of these are too big to decide and analyze in the moment the attack goes active and visible in the infrastructure. You'd just dump it and then wipe it and figure it out later.
It's certainly a sensitive dataset and it doesn't feel any kind of "good" for literally anyone to have it. But to me it's not slam-dunk just evil.
I'm not saying this is morally right or anything, but the other reason is to cause the spyware company's current and potential clients to lose faith in their reliability as a partner.
It's one thing to pop one of these companies and dump their tooling -- they'll just get a new set of 0-days if that's part of their MO and keep selling the tools, maybe changing them a bit to evade AV detection if that's a concern.
It is another thing entirely for their client list and the identities of their client's targets to get leaked. That's the sort of thing potential customers of these companies want to avoid at all costs.
All that said, I think they could have achieved much the same effect by just dumping their client list and maybe quietly (and privately) notifying the victims.
Are you saying that people who shut down companies that creates spyware are not the good guys? I don't really care if it happens by legal means or by blackhat ops like this, but feels like it's hard to argue it's immoral to shut them down, even if you copy and share all their private data while doing so.
Yeah, it was private data that was stolen and then released publicly by someone who stole the stolen data. Would it be ok with you if I installed malware on your phone, stole your private messages, and then those messages were stolen from me and released for the world to see? That's what happened.
> Poland-based spyware LetMeSpy is no longer operational and said it will shut down after a June data breach wiped out its servers, including its huge trove of data stolen from thousands of victims’ phones.
How had they not been fined out of existence for GDPR violations?
Poland is a member of the EU so GDPR applies to them even if the people whose data they were processing were not in the EU.
GDPR is only as good as local interpretation. Polish government runs Google Analytics / Tag Manager on devices visiting gov.pl websites. Local GDPR body dismissed the case[1].
From my experience, GDPR in Poland is an absolute joke. Microsoft refused to allow me to access and delete my personal data which they have purchased. UODO's (Polish GDPR body) response was something in lines of "we don't deal with internet accounts".
They may think that they can get more value from their spy network via darker means.