Date of Incident Occurrence
August of 2021
Incident Type
Insider Data Theft
Event Severity
Critical
Event Narrative
Leadership at an organization received an email that contained a block of customer information and a ransom. The organization first verified that the data was legitimate. It found that it was. The data included customer PII like SSNs. However, there were typos in the data and inconsistencies in the data formatting.
The attackers began a double extortion campaign against the organization. The attackers threatened to release the data on the dark web. Additionally, the attackers notified customers that they had the information and that the customers should call the organization in question and threaten to sue. This was a tactic to up the pressure on the organization to pay the ransom.
An investigation concluded that the data had been exfiltrated from an offshore customer service center. The insiders had taken pictures of the customer information with their smartphone cameras and then sold the information after resigning from the customer service center.
Remediation steps put in place since discovery of the incident?
The organization immediately engaged Future Point of View. FPOV began consulting the organization on ransom negotiations and customer notification. A dark web search by FPOV and an additional third party concluded that the data had not been dropped on the dark web. The organization closed the offshore call center and began reconsidering its governance at overseas locations.
What would you like others in the industry to know about the incident?
It is important to increase your diligence when it comes to any data that will be accessed by those in countries outside of the United States, especially countries with poorer economies, where contractors may have more of an incentive and the means to steal data or information.