Framework discloses data breach after accountant gets phished

Framework Computer disclosed a data breach exposing the personal information of an undisclosed number of customers after Keating Consulting Group, its accounting service provider, fell victim to a phishing attack.

The California-based manufacturer of upgradeable and modular laptops says a Keating Consulting accountant was tricked on January 11 by a threat actor impersonating Framework's CEO into sharing a spreadsheet containing customers' personally identifiable information (PII) "associated with outstanding balances for Framework purchases."

"On January 9th, at 4:27am PST, the attacker sent an email to the accountant impersonating our CEO asking for Accounts Receivable information pertaining to outstanding balances for Framework purchases," the company says in data breach notification letters sent to affected individuals.

"On January 11th at 8:13am PST, the accountant responded to the attacker and provided a spreadsheet with the following information: Full Name, Email Address, Balance Owed.

"Note that this list was primarily of a subset of open pre-orders, but some completed past orders with pending accounting syncs were also included in this list."

Framework says its Head of Finance notified Keating Consulting's leadership of the attack once he became aware of the breach roughly 29 minutes after the external accountant replied to the attacker's emails at 8:42 AM PST on January 11th.

As part of a subsequent investigation, the company identified all customers whose information was exposed in the attack and notified them of the incident via email.

Affected customers warned of phishing risks

Since the exposed data includes the names of customers, their email addresses, and their outstanding balances, it could potentially be used in phishing attacks that impersonate the company to request payment information or redirect to malicious websites designed to gather even more sensitive information from those impacted.

The company added that it only sends emails from 'support@frame.work' asking customers to update their information when a payment has failed and it never asks for payment information via email. Customers are urged to contact the company's support team about any suspicious emails they receive.

Framework says that from now on, all Keating Consulting employees with access to Framework customer information will be required to have mandatory phishing and social engineering attack training.

"We are also auditing their standard operating procedures around information requests," the company added.

"We are additionally auditing the trainings and standard operating procedures of all other accounting and finance consultants who currently or previously have had access to customer information."

A Framework spokesperson was not immediately available for comment when BleepingComputer asked about the number of affected customers in the data breach.