)
Financial Business and Consumer Solutions (FBCS) disclosed a massive data breach that affected over 1.9 million individuals. Unidentified attackers stole personal information, including full names, identification numbers, and financial account information, among other data. Prior to FBCS’ announcement, Cybersixgill detected a variety of threat actors on the underground selling access to organizations in the financial industry.
THE HEADLINE
On April 26, 2024, a U.S.-based debt collection company called Financial Business and Consumer Solutions[1] (FBCS) disclosed to its customers a data breach that affected close to two million individuals. According to FBCS, the company discovered that threat actors had access to its network since at least February 14, 2024. FBCS did not identify specific individuals or groups behind the attack, nor did the company specify whether threat actors demanded a ransom.
FBCS indicated that customers’ stolen personal information could have included full names, dates of birth, social security numbers, account information, driver’s license numbers, and identification card numbers. The type of information that was accessed in this breach could be used by threat actors on the underground for a range of malicious and fraudulent activities, from phishing campaigns to other social engineering attacks. Similarly problematic, the information may also be sold or leaked on the underground.
According to FBCS, the company took immediate steps to secure the impacted environment and launched an investigation with third-party forensics specialists to determine the full nature and scope of the incident. In accordance with relevant state law, FBCS disclosed to the Maine Attorney General’s Office details related to the breach. Specifically, FBCS identified the date it discovered the breach as February 26, 2024 and referred to it as an “external system breach (hacking),” as opposed to an insider threat or other form of attack. According to FBCS, the total number of individuals affected was 1,955,385 and the company has not experienced other breaches within 12 months.
As is customary when data breaches expose financial information or social security numbers, FBCS offered one year of complimentary credit monitoring and identity protection services through CyEx, which detects misuse of personal information and helps resolve cases of identity theft. The other steps FBCS mentioned in its customer notification included fraud alerts and credit file security freezes. FBCS also stressed the need to remain vigilant with regard to financial account statements and credit reports to regularly monitor for fraudulent or irregular activity.
FBCS did not indicate whether any evidence indicated that customer information had been misused.
DIVING DEEPER
Entities in the financial industry such as FBCS remain attractive targets for cybercriminals on the underground. While Cybersixgill observed neither a group/actor taking credit for the FBCS breach nor data related to the incident leaked on the underground, Cybersixgill did detect the type of access that may have been used in the FBCS breach advertised on cybercrime forums.
While the accesses discussed below do not appear related to FBCS itself, however, it is possible that the company was breached using a similar item advertised on the underground by an initial access broker (IAB).
In the following April 12, 2024 post, a member of the popular cybercrime forum advertised access for an unnamed company in the finance industry. The forum member has a high reputation score and is a frequent advertiser of corporate accesses such as this one. In this post, the threat actor specifies that the item provides access to a compromised VPN with domain admin privileges, in addition to RDP /Hyper-V access. RDP and VPN based accesses are the most common remote accesses and are usually provided in the form of valid login credentials related to Citrix and Fortinet.
A threat actor could abuse access with domain admin privileges to create, modify, and delete user accounts, in addition to accessing server infrastructure. Ultimately, this access could be used to steal and/or encrypt data, deploy malware, or maintain persistence for further malicious activities.
IABs such as this play a crucial role in the underground economy by selling remote access to compromised organizations’ systems, which attackers use for network intrusions. While Cybersixgill did not detect any direct evidence indicating that FBCS was breached using access sourced from an IAB, it is one of the ways that threat actors infiltrate entities in the financial sector.
Figure 1: A forum member advertises access to a compromised organization in the finance industry
In addition to the post above, Cybersixgill observed a variety of other accesses advertised on the underground, including the post below from a Russian-language cybercrime forum. In this post, the forum member not only provides company revenue, which is standard in such advertisements, they offer to provide info about the compromised organizations from ZoomInfo. While this site compiles information about companies for legitimate purposes, threat actors could use these details to determine whether entities are potentially lucrative victims for attacks.
Figure 2: A forum member advertises accesses
TAKEAWAYS
The FBCS data breach represents a significant incident targeting a major player in the American debt collection industry, which is a key component of the finance sector. This breach reflects the extent to which threat actors’ value data related to the financial industry, which cybercriminals view as a potential source of payouts. The FBCS breach may also signal potential shortcomings in the company’s cybersecurity posture.
While the financial industry may be particularly tempting to threat actors, few if any industries have been spared by cyber attacks. As a result, all organizations should make sure to maintain property security hygiene and implement the following best practices to reduce the attack surface:
· Enable multiple-factor authentication (MFA) processes to add another layer of security, making it more difficult for cybercriminals to access corporate devices and accounts.
· Create data copies and backups on external servers that are isolated from the business network.
· Keep software and products up to date.
· Remain aware of new vulnerabilities and patch them accordingly.
· Instruct employees to use strong passwords on corporate login portals, and advise them not to click on links or attachments in suspicious emails.
[1] Financial Business and Consumer Solutions is a nationally licensed and bonded agency that collects debts related to consumer credit accounts, healthcare, auto loans/leases, utilities, and student loans.
)
)
)
)