Multiple reports on social media warn of a data breach at financial and risk advisory company Kroll that resulted in exposing to an unauthorized third-party the personal data of some credit claimants.
Kroll, who is facilitating claims for insolvent companies FTX, BlockFi, and Genesis Global Holdco, has confirmed that one of its employees was the victim of a SIM-swapping attack.
Hackers stole the Kroll employee’s phone number and used it to gain access to some files with personal data of bankruptcy claimants.
FTX and BlockFi posted on X today that a security incident at Kroll involving unauthorized third-party access on its systems exposed “limited, non-sensitive customer data of specific claimants.”
Although the nature of exposed data are not explicitly mentioned, the two companies clarify that user passwords and client funds haven’t been impacted, as neither FTX’s nor BlockFi’s systems were directly breached.
Also, both state that Kroll will notify impacted individuals directly, and the company has already contained and remediated the incident.
In a statement today, Kroll says that a threat actor on August 19 targeted a T-Mobile account belonging to a Kroll employee and managed to steal the phone number of a Kroll employee.
“As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis. Immediate actions were taken to secure the three affected accounts” – Kroll
Kroll says that it has already notified affected individuals.
Phishing underway
In the aftermath of the reported breach at Kroll, several people related to the pending bankruptcy cases of the crypto firms posted samples of phishing emails they received on social media.
In most of the reported cases, the messages sent to those people impersonate FTX and claim that the recipient is eligible to begin withdrawing digital assets from their accounts, supposedly matching their last known balance on the platform.
These messages aim to phish people’s seeds that protect their cryptocurrency wallets, and to empty them.
Scope of the incident
Although Genesis has not published anything about the case, CoinDesk editor Rob Mitchell shared a notice from the firm about the data breach earlier today, where it is mentioned that Kroll’s incident resulted from a SIM swapping attack on one of their employee’s T-Mobile numbers.
The attackers bypassed MFA to take over the employer’s account and access files stored in Kroll’s cloud-based systems, including full names, physical addresses, email addresses, and debtor claim details.
Kroll handles restructuring cases for hundreds of entities, but a spokesperson of the firm told BleepingComputer that the scope of the impact is limited to the three mentioned crypto-investment companies and their creditors.
The security incident only impacted files pertaining to BlockFi, FTX and Genesis
There is no evidence that the threat actor moved laterally or gained access to any other Kroll user accounts or systems. – Kroll spokesperson