Threat Watch

Multiple Cities Disclose Data Breach After Vendor’s Ransomware Attack

A ransomware attack against a widely used payment processor has forced data breach notifications from several cities in California and Washington. Automatic Funds Transfer Services (AFTS) is a payment processing service used by many cities and agencies in Washington, California, and other US states as a payment processor and address verification service. Because a wide variety of sensitive data is collected by AFTS for billing and verifying customers and residents, this attack can have a massive and widespread impact. The breach happened around February 3rd when a criminal gang named ‘Cuba Ransomware’ stole unencrypted files and deployed their ransomware against AFTS. The attack has caused serious disruption to the AFTS business operations, making their website unavailable and stopping payment processing. Like other human-operated ransomware, Cuba Ransomware breaches a network, slowly spreads through servers, steals network credentials and unencrypted files, and finally ends by deploying their ransomware to encrypt the devices. According to the data leak site, the Cuba gang claims to have stolen “financial documents, correspondence with bank employees, account movements, balance sheets, and tax documents.” If the Cuba gang cannot find a buyer for their stolen data, they will most likely release it for free, allowing the data to be used by other cybercriminals. Due to the large amount of data potentially stolen by the Cuba ransomware gang, cities utilizing AFTS have begun releasing data breach notifications. The potential data that was stolen may include names, addresses, phone numbers, license plate numbers, VINs, credit card information, scanned paper checks, and billing details. Currently, the California Department of Motor Vehicles, the Washington cities of Kirkland, Lynnwood, Monroe, Redmond, Seattle, Lakewood Water District, and the Port of Everett has disclosed data breach notifications with more cities likely adding to the list soon.

ANALYST NOTES

Organizations are highly recommended to not only audit their network services, but their third-party vendors should also be audited. Routine penetration testing into networks should be a component in any security profile. As for individuals affected by these breaches, they should keep a watch over their banking and credit institutions for unusual and malicious activity on their accounts. If any unusual activity is found, it should be reported to the person’s banking institution so the incident can be investigated.

Source Article: https://www.bleepingcomputer.com/news/security/us-cities-disclose-data-breaches-after-vendors-ransomware-attack/