John Leyden of The Register reports that the EC-Council sent out a notification to its members about the February breach noted previously on this blog. Here’s the full text of their message:
On Saturday, February 22nd, 2014, the ICANN-accredited domain registrar of EC-Council was compromised and as a result, EC-Council suffered a DNS Poisoning attack, which resulted in their website being defaced. EC-Council launched a comprehensive investigation and began work to regain control immediately.
As the attack happened over the weekend, EC-Council’s security team had challenges reaching the appropriate domain registrar personnel to address the situation. As a result, the hacker was able to maintain control of the registrar’s system and the EC-Council domain during this time period. The domain registrar in question was unable to secure their servers to a level desired by EC-Council and during this period, the domain registrar was exposed at least 2 more times. As such, EC-Council sustained an outage while moving the entire domain to another provider. Simultaneously, the EC-Council security team instituted additional countermeasures to other EC-Council systems within their direct control and began strengthening other security measures organization-wide.
EC-Council uses a cloud service provider for enterprise email. Once the domain privilege was attained, the hacker then issued a password reset request to the email service provider. This circumvented EC-Council’s best practices of using complex passwords and 2-factor authentication.
EC-Council has informed the service provider of this password reset policy vulnerability and are hopeful that they have already rectified it for the benefit of the IT community in general.
With administrative access to the email service provider, the hacker was able to compromise a small number of email accounts before the EC-Council security team was able to respond to the breach. This resulted in unauthorized access to messages in those specific email boxes for a short duration of time. The potentially compromised accounts represent approximately 2% of their customer base.
As the investigation is ongoing, EC-Council was unable to ascertain if any data was compromised in these accounts. However, as a precautionary measure, they are writing to notify customers that have sent any personally identifiable information to EC-Council via e-mail that there is a possibility that these may have been exposed through email. No credit card data was compromised. As a precaution, EC-Council strongly recommends that their affected customers remain vigilant for any unauthorized use of the information shared with EC-Council and that they alert EC-Council if they find any reason to suspect any.
EC-Council strives to set a very high bar for how they serve their community, and this incident is upsetting. EC-Council has since transferred their domain to another registrar, changed policies on management of personal information, improved existing data retention policies, introduced two-factor authentication for member portals, and improved security procedures and systems. They will continue to do more in the weeks and months to come.
EC-Council has been working closely with law enforcement agencies across 3 continents. EC-Council is doing everything in their power to prevent this from happening again and will leverage the full extent of international law to prosecute the individual responsible.
EC-Council is a vibrant community like no other, and value their customers. Please let them know if you have any questions, comments, or concerns. You can reach them at accountsecurity@eccouncil.org.