Databases of sensitive, financial and personally identifiable info and documents from Intcomex were leaked on Russian-language hacker forum after a ransomware attack.
Hackers have stolen nearly a terabyte of data from a Miami-based tech firm, leaking a number of the pilfered files (including full credit-card information, scans of sensitive documents such as passports, bank statements and financial documents, and even customer databases) on a Russian hacker forum.
An investigation uncovered leaked data belonging to Intcomex, a very large value-added reseller (VAR) which provides technology products and services targeting Latin America and the Caribbean. The leaks occurred on Sept. 14 and Sept. 20, when hackers dumped it in two parts on the forum.
“So far, the first release was a collection called ‘Internal Audit’ with a size of 16.6GB, while the second release is titled ‘Finance_ER,’ totaling 18GB,” according to a report on the CyberNews website. “Based on folder names, the most recent data comes from July 2020.”
The data appears to have been stolen as the result of a ransomware attack. Hackers promised to leak “the more interesting data”— which — at a later time, according to the report. A Russian-language note left along with the leaked data alludes to the hackers waiting to see if the company will pay up before releasing the rest of the data, which likely will be more full credit-card information, a treasure trove for hackers, according to the report.
CyberNews said it contacted Intcomex on Sept. 21 about the leak, which confirmed that the database researchers saw on the forum is indeed theirs.
Intcomex said it took “decisive steps to address the situation and protect our systems” upon learning about the leak and is working with third-party cybersecurity experts in the investigation of what happened, according to a media statement. The company also notified law enforcement and is in the process of letting “affected parties” know about the leak “as appropriate,” the company said.
The breach did not impact the services Intcomex provides to its partners, the company said. However, its sheer size, the sensitivity of the info, and the lack of breach detection by the company are extremely worrisome from a cybersecurity position, experts noted.
“Not only is this leak significant in the volume of data that was leaked, but also the sensitive contents of the data as well,” observed Erich Kron, security awareness advocate for security firm KnowBe4, in an email to Threatpost. “This is not a simple matter of an email address and a name; when sensitive information such as passport numbers and license scans along with payroll information are lost, these can cause significant damage to the users of the service, up to and including real identity theft.”
Threat actors also were able to steal the data and dump it online before the company even noticed, observed Chris Clements, vice president of solutions architecture for security firm Cerberus Sentinel.
“This highlights the ongoing shortcomings of businesses in detecting that a breach has occurred before the attacker has been able to do significant damage,” he said in an email to Threatpost. “In this case, attackers were apparently able to exfiltrate nearly a terabyte of sensitive information without detection.”
Indeed, the data leaked by the team is extensive and could be used by cybercriminals to launch further and comprehensive attacks on the company’s employees, customers or partners. Credit cards include the full number, expiration date, CVV2, and the holder’s full name, and document scans include full passport info for both U.S. and Latin American passport holders, as well as people’s Social Security numbers and full driver-license info.
The fact that the company operates across country borders also could mean a very messy and expensive clean-up operation on the backend of the leak, Kron noted.
“Between legal fees, fines and identity-theft protection services being provided to the victims, these types of attacks can be very costly for organizations,” he said. “In addition, with this organization serving 41 countries, they are going to have a mess of notification requirements and additional fines are likely from foreign entities.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.