A data breach involving online contact information for millions of individuals tied to a rogue employee at an email delivery vendor is even larger than initially believed, the vendor is disclosing.
Customer.io says a now-fired senior engineer transferred to an unnamed external party email addresses gathered by six clients.
The company is not revealing how many emails are now at heightened risk of phishing attempts as a result of the “deliberate actions” of the former employee.
Non-fungible token marketplace platform OpenSea partially divulged the incident late last month when it warned anyone who had ever shared an email address with it about the unauthorized transfer of contact information. Approximately 1.9 million users have made at least one transaction on the platform, shows data from blockchain market firm Dune Analytics.
Customer.io did not identify the other affected companies to Information Security Media Group or specify the sectors in which they operate. The affected parties have been alerted, the company says.
The incident underscores the continuing threat posed by insiders, who account for 20% of all security incidents, according to the most recent Verizon Data Breach Incident Report. The costs of insider breaches, whether caused by human error or bad actors, are going up, and the Ponemon Institute found a 47% increase over the past two years.
“After further investigating the compromised OpenSea email addresses incident, we have learned today that the email addresses from five other customers were also provided to the same external bad actor,” the Customer.io tells ISMG.
This breach was limited to the actions of the single senior engineer, who had access to client email lists as part of his or her work duties, Customer.io says. The employee was reported to law enforcement authorities.
An undisclosed third-party investigations firm retained by Customer.io did not find additional evidence of email compromises.
Customer.io says it has improved its intrusion detection system and immutable logging to provide more proactive notifications of data exfiltration. It has also restricted access to its production systems and data stores and reviewed access and authorization keys for critical services.
“Access to the data in customer’s accounts by Customer.io employees is now opt-in as a setting (and turned off by default). Customers can now grant Customer.io’s support team access to their account for a limited time and only if they choose to,” the company tells ISMG. Customer.io staff will not be allowed to export customer data even with access, it adds.
Although less prevalent as a threat than once thought, trusted insiders who turn on their employers remain an ongoing concern in cybersecurity.
Just weeks ago, the Desjardins Group reached an out-of-court settlement with multiple plaintiffs to resolve a data breach class action lawsuit. The breach, which was publicly disclosed in June 2019, involved a “malicious” insider stealing and selling personal details for 4.2 million active customers of the Canadian credit union group. The settlement will provide nearly $201 million Canadian dollars ($155 million) to class members.
In May, an employee of an IT company that provided services to a healthcare organization was charged in an Illinois federal court for hacking into the c0mpany’s systems after it denied him employment. The accused, 35-year-old Aaron Lockner, was terminated by the IT services company a month after he allegedly hacked into the U.S.-based healthcare company. Neither the healthcare company nor the third-party IT contracting company for which Lockner worked were identified in court documents.
“Insider threats definitely do not draw enough attention,” privacy and security attorney Erik Weinick of the law firm Otterbourg PC said at the time (see: Feds Allege Former IT Consultant Hacked Healthcare Company).