Kroll

Multiple reports on social media warn of a data breach at financial and risk advisory company Kroll that resulted in exposing to an unauthorized third-party the personal data of some credit claimants.

Kroll, who is facilitating claims for insolvent companies FTX, BlockFi, and Genesis Global Holdco, has confirmed that one of its employees was the victim of a SIM-swapping attack.

Hackers stole the Kroll employee's phone number and used it to gain access to some files with personal data of bankruptcy claimants.

FTX and BlockFi posted on X today that a security incident at Kroll involving unauthorized third-party access on its systems exposed “limited, non-sensitive customer data of specific claimants.”

tweets

Although the nature of exposed data are not explicitly mentioned, the two companies clarify that user passwords and client funds haven’t been impacted, as neither FTX’s nor BlockFi’s systems were directly breached.

Also, both state that Kroll will notify impacted individuals directly, and the company has already contained and remediated the incident.

In a statement today, Kroll says that a threat actor on August 19 targeted a T-Mobile account belonging to a Kroll employee and managed to steal the phone number of a Kroll employee.

"As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis. Immediate actions were taken to secure the three affected accounts" - Kroll

 Kroll says that it has already notified affected individuals.

Phishing underway

In the aftermath of the reported breach at Kroll, several people related to the pending bankruptcy cases of the crypto firms posted samples of phishing emails they received on social media.

In most of the reported cases, the messages sent to those people impersonate FTX and claim that the recipient is eligible to begin withdrawing digital assets from their accounts, supposedly matching their last known balance on the platform.

These messages aim to phish people’s seeds that protect their cryptocurrency wallets, and to empty them.

Phishing message sent to one of the exposed claimants
Phish sent to one of the claimants

Scope of the incident

Although Genesis has not published anything about the case, CoinDesk editor Rob Mitchell shared a notice from the firm about the data breach earlier today, where it is mentioned that Kroll’s incident resulted from a SIM swapping attack on one of their employee’s T-Mobile numbers.

The attackers bypassed MFA to take over the employer’s account and access files stored in Kroll’s cloud-based systems, including full names, physical addresses, email addresses, and debtor claim details.

Excerpt of the Genesis notice
Excerpt from the Genesis notice to impacted claimants

Kroll handles restructuring cases for hundreds of entities, but a spokesperson of the firm told BleepingComputer that the scope of the impact is limited to the three mentioned crypto-investment companies and their creditors.

The security incident only impacted files pertaining to BlockFi, FTX and Genesis

There is no evidence that the threat actor moved laterally or gained access to any other Kroll user accounts or systems. - Kroll spokesperson

UPDATE [August 25, 11:58 AM]: Article updated with the statement from Kroll.

UPDATE 2 [August 25, 15:23 EST]: Article updated with Kroll clarifications regarding the impact of the incident

Related Articles:

LA County Health Services: Patients' data exposed in phishing attack

GHC-SCW: Ransomware gang stole health data of 533,000 people

Panda Restaurants discloses data breach after corporate systems hack

Microsoft rolls out passkey auth for personal Microsoft accounts

DropBox says hackers stole customer data, auth secrets from eSignature service