Having spent years interviewing hackers who described themselves as hacktivists or as hacking for the lulz, talking to hackers who engage in criminal hacking as a source of income has been…. educating, to say the least. But it’s also been a reminder that too many businesses really have no clue what they’re doing – not only in terms of their infosecurity, but also in their preparation for a breach.
Yesterday, I contacted a CPA firm in New Jersey that had been hacked by a Russian hacker known as “Return” (among other aliases). During a chat, Return had told me that he had hacked FraserCPA and had obtained more than 12 GB of data – W-2 statements, tax returns, correspondence, etc. As proof, he sent me 500mb of files.
And as he has done with other targets (Man Alive and Hickey Law Firm), he sent an email to FraserCPA with a ransom demand. In this case, the business was told to pay 25 BTC within a week or Return would put the data up for sale on the dark web. The victim was told that he could contact Return on Jabber.
If I had to bet, I’d bet that Fraser had no idea how to obtain BTC, and likely never heard of Jabber. But there are probably many people in that boat, and actually, those are the least of their problems right now. My conversation with Carlos Fraser was somewhat …. puzzling, for lack of a more diplomatic term.
When I reached him yesterday morning, he had already received the ransom demand email, but admitted to me that he didn’t understand it. I’m not sure if he didn’t understand it because of Return’s English or because he just didn’t fully comprehend what had happened and was happening.
When I told him that I had 500 mb of files allegedly from his firm, he asked me for proof, so I started reading him the names on some of the files. He claimed he didn’t recognize any of them. Normally, that might give me pause that perhaps the data I had been given was fake, but I didn’t think Return had given me fake data, as I had already investigated two other hacks in which the sample data he had given me were confirmed as legitimate.
So I kept reading Fraser file names and describing the data. He continued to say he didn’t recognize any of them. I asked him if he was the owner of the business, and learned that his father had been the owner. Well, that might explain his lack of recognition of file names or clients, as some of the files in the sample were old (and probably shouldn’t have been connected to the Internet any more, but that’s another issue). Maybe these files were his father’s clients? So I asked about his father and whether he was available for me to speak to.
Well, no, I couldn’t speak to the father because it turns out the father is currently in jail for tax return fraud.
[Yes, this conversation wasn’t getting any easier and I’m glad I wasn’t drinking coffee when he told me that…].
“What are you doing in response to all this?” I asked him. And that’s when he told me he had contacted the FTC.
Not the police, not the FBI, not the IRS, and not the NJ Attorney General’s Office, but the FTC. I have no idea why he thought that would be important to do as a first response. I do not write this to make fun of Mr. Fraser, as he’s not alone in not knowing what to do in the event of a breach. And that’s the problem – too many entities are unprepared.
Assuming that those files were all legitimate, and I continue to believe that they are, that small firm has a slew of people to notify of this breach, and it doesn’t look they had any preparation for something like this, including a lawyer to call who could have taken charge of bringing in an IT expert, directing the firm as to the next steps, etc.
And that was only one of THREE conversations I had like that yesterday, where the people I contacted had no clue what to do and asked me to tell them what to do.
Sadly, but not surprisingly, when I chatted with Return later in the day, he told me he still had access to FraserCPA. I’m guessing that the firm didn’t know that, either, because their site is still online.
And we, the public, continue to trust our personal information and financial information to businesses or entities that do not have adequate infosecurity, may not have adequate insurance to cover breach costs, and do not have a clue what to do when data breach disaster hits.
If nothing else, it made me wonder why I’ve never asked my accountant about what security he has in place for my information. Do you know what security your accountant or tax preparer uses for your information? You might want to inquire.
I remember calling on a 3-man accounting firm a few years back. The door to the office building had a note from them to the other tenants asking they not lock the entryway to facilitate customer easy access. Inside their suite, the front desk wasn’t staffed and I saw 8 boxes of client files within view and easy reach behind the receptionist desk. Names were visible on the folder tabs.
After meeting with the managing partner, he assured me he understood security, did a peer audit with another accounting firm every three years (even if it wasn’t really necessary) and stated that “until the federal government sent him a letter with his name on it stating he needed an outside security consultant” he was never going to move beyond his self managed security model.
While I wish him no harm, he’s unlikely to change until something happens to him or a peer he thinks is as good as he is.
Ok, that’s scary. I wonder how many people would realize to walk away in that situation. A “peer audit?” He knows how to check logs and firewall configurations and everything? Oh lordy…
This is why we can’t have nice things. 🙁