Update: So apparently the notification DataBreaches read is not what is sent out to affected consumers. That one can be found here, and it is not as detailed as the disclosure I have raved about. But do read about the one they sent New Hampshire that was excellent.
DataBreaches will leave it to others to critique Byte Federal’s data security prior to their reported incident(s), but DataBreaches is giving them a huge “bravo!” for their detailed disclosure that explains, to the best of their knowledge, what happened, when, and how to approximately 58,000 customers.
As just two examples taken from their disclosure:
On September 30, 2024, Byte Federal became aware of an unauthorized attempt to manipulate our database. However, there was no indication at the time that any customer information was at risk. We immediately blacklisted the attacker’s public address. By 10:00 AM, we had identified the attacker’s IP addresses leading to a temporary halt in operations and database lockdown. Further investigation revealed that the breach originated from a misconfiguration in our web server, which exposed a Personal Access Token in the .git/config file of our staging website. This token granted the attacker access to our GitLab code repository, allowing them to extract hardcoded data.
[…]
The data was encrypted, but the attacker also acquired the encryption key. We confirm that no customer funds or assets were lost, but we cannot confirm whether the data was sold on the dark web or otherwise shared. We have no way of knowing the attacker or their origin.
What a pleasure not to read some entity claiming that “they have no evidence of misuse or fraud…”
This is how to do disclosure transparently, folks.
byte-federal-20241213