August 16, 2022

Earlier this month, the administrator of the cybercrime forum Breached received a cease-and-desist letter from a cybersecurity firm. The missive alleged that an auction on the site for data stolen from 10 million customers of Mexico’s second-largest bank was fake news and harming the bank’s reputation. The administrator responded to this empty threat by purchasing the stolen banking data and leaking it on the forum for everyone to download.

On August 3, 2022, someone using the alias “Holistic-K1ller” posted on Breached a thread selling data allegedly stolen from Grupo Financiero Banorte, Mexico’s second-biggest financial institution by total loans. Holistic-K1ller said the database included the full names, addresses, phone numbers, Mexican tax IDs (RFC), email addresses and balances on more than 10 million citizens.

There was no reason to believe Holistic-K1ller had fabricated their breach claim. This identity has been highly active on Breached and its predecessor RaidForums for more than two years, mostly selling databases from hacked Mexican entities. Last month, they sold customer information on 36 million customers of the Mexican phone company Telcel; in March, they sold 33,000 images of Mexican IDs — with the front picture and a selfie of each citizen. That same month, they also sold data on 1.4 million customers of Mexican lending platform Yotepresto.

But this history was either overlooked or ignored by Group-IB, the Singapore-based cybersecurity firm apparently hired by Banorte to help respond to the data breach.

“The Group-IB team has discovered a resource containing a fraudulent post offering to buy Grupo Financiero Banorte’s leaked databases,” reads a letter the Breach administrator said they received from Group-IB. “We ask you to remove this post containing Banorte data. Thank you for your cooperation and prompt attention to this urgent matter.”

The administrator of Breached is “Pompompurin,” the same individual who alerted this author in November 2021 to a glaring security hole in a U.S. Justice Department website that was used to spoof security alerts from the FBI. In a post to Breached on Aug. 8, Pompompurin said they bought the Banorte database from Holistic-K1ller’s sales thread because Group-IB was sending emails complaining about it.

“They also attempted to submit DMCA’s against the website,” Pompompurin wrote, referring to legal takedown requests under the Digital Millennium Copyright Act. “Make sure to tell Banorte that now they need to worry about the data being leaked instead of just being sold.”

Group-IB CEO Dmitriy Volkov said the company has seen some success in the past asking hackers to remove or take down certain information, but that making such requests is not a typical response for the security firm.

“It is not a common practice to send takedown notifications to such forums demanding that such content be removed,” Volkov said. “But these abuse letters are legally binding, which helps build a foundation for further steps taken by law enforcement agencies. Actions contrary to international rules in the regulated space of the Internet only lead to more severe crimes, which — as we know from the case of Raidforums — are successfully investigated and stopped by law enforcement.”

Banorte did not respond to requests for comment. But in a brief written statement picked up on Twitter, Banorte said there was no breach involving their infrastructure, and the data being sold is old.

“There has been no violation of our platforms and technological infrastructure,” Banorte said. “The set of information referred to is inaccurate and outdated, and does not put our users and customers at risk.”

That statement may be 100 percent true. Still, it is difficult to think of a better example of how not to do breach response. Banorte shrugging off this incident as a nothingburger is baffling: While it is almost certainly true that the bank balance information in the Banorte leak is now out of date, the rest of the information (tax IDs, phone numbers, email addresses) is harder to change.

“Is there one person from our community that think sending cease and desist letter to a hackers forum operator is a good idea?,” asked Ohad Zaidenberg, founder of CTI League, a volunteer emergency response community that emerged in 2020 to help fight COVID-19 related scams. “Who does it? Instead of helping, they pushed the organization from the hill.”

Kurt Seifried, director of IT for the CloudSecurityAlliance, was similarly perplexed by the response to the Banorte breach.

“If the data wasn’t real….did the bank think a cease and desist would result in the listing being removed?” Seifried wondered on Twitter. “I mean, isn’t selling breach data a worse crime usually than slander or libel? What was their thought process?”

A more typical response when a large bank suspects a breach is to approach the seller privately through an intermediary to ascertain if the information is valid and what it might cost to take it off the market. While it may seem odd to expect cybercriminals to make good on their claims to sell stolen data to only one party, removing sold stolen items from inventory is a fairly basic function of virtually all cybercriminal markets today (apart from perhaps sites that traffic in stolen identity data).

At a minimum, negotiating or simply engaging with a data seller can buy the victim organization additional time and clues with which to investigate the claim and ideally notify affected parties of a breach before the stolen data winds up online.

It is true that a large number of hacked databases put up for sale on the cybercrime underground are sold only after a small subset of in-the-know thieves have harvested all of the low-hanging fruit in the data — e.g., access to cryptocurrency accounts or user credentials that are recycled across multiple websites. And it’s certainly not unheard of for cybercriminals to go back on their word and re-sell or leak information that they have sold previously.

But companies in the throes of responding to a data security incident do themselves and customers no favors when they underestimate their adversaries, or try to intimidate cybercrooks with legal threats. Such responses generally accomplish nothing, except unnecessarily upping the stakes for everyone involved while displaying a dangerous naiveté about how the cybercrime underground works.

Update, Aug. 17, 10:32 a.m.: Thanks to a typo by this author, a request for comment sent to Group-IB was not delivered in advance of this story. The copy above has been updated to include a comment from Group-IB’s CEO.


34 thoughts on “When Efforts to Contain a Data Breach Backfire

  1. Chris Kling

    Where are the rest of the details around the information that was bought being leaked on the forum for everyone to download? It’s like you glanced over the whole end result of this happening without much to it. Do we know if this data is being used somewhere now? How many people downloaded it? Any other details?

    1. BrianKrebs Post author

      I have looked at the data and it appears to be what the seller is saying. It stands to reason that the data is now in the hands of many people who will try to think of ways to put it to ill use.

    2. mealy

      It’s like he’s not even trying to be clairvoyant! BK’s crystal ball must be in the shop.

  2. John Tillotson

    DMCA takedown notices? That’s utterly clueless. Somebody really dropped a clanger here.

    If you venture down the rabbit hole that is the founders of “Group-IB” you will quickly find “Dmitry Volkov” and “Ilya Sachkov”, Russian accusations of treason after Putin gave him an award, and other stuff that looks like it couldn’t be believed if it was fiction.

    There are few worlds weirder than cybersecurity.

    1. mealy

      There are few worlds weirder than cybersecurity. Russia easily makes that list though.

  3. luis andaleon

    dear mr krebs, i greatly admire your work and your blog. However, I must say that too much credibility is being given to a low-category cyber actor in the breached to forum, if a more detailed analysis is carried out in conjunction with other DDW sources, it will validate that cyber said actor is only dedicated to reselling old information with the aim of gain reputation. Whether or not the information is true, I think I should carry out a more detailed analysis with the diamond model and other analytical techniques of this low-category cyber actor.

    1. NaN

      Brian has made a reputation for himself getting access to coveted forums and information. I would trust Brian’s gut any day over “diamond model analysis”. It’s what he does. The same goes for what Intel471 has on this actor. Besides, what credibility was given to the actor besides noting the same person has sold other databases successfully? That sounds like solid background research for the article to me.

  4. jake

    before doing such action , Pompompurin should look onto who behind group ib is . he should of do a little dig into it and you find theres at least 2 peoples there you not wanna mess with . crime not pay!!

    1. Peter

      Why would pompompurin care about Russians? They don’t live in Russia from what I’ve gathered.

  5. Russian

    Hmm. Always thought Group-IB is Russian company. And their founder (Ilya Sachkov) is currently under detention and charged for treason.

  6. Jhon Miller

    I only see a consultant hiring mediocre and cheap researchers of those who promote themselves on twitter as experts

    1. robert sands

      You get what you pay for, and the infosec world is full of shady “experts” who really are no better than other scammers when they pretend to have expertise or tools they don’t have, and relying on FUD to make a quick buck off panicking non-tech-proficient executive types.

  7. FSB general Vasya

    “Pompompurin should look onto who behind group ib is”

    It is 2 guys – IVAN PIZDUKOV, AND SERGEI EBAN’KOV.

    2 Russkies calling themselves SingaPOORean.

    FSB will give them an award – “TOP ASSCLOWNS OF THE YEAR”.

    Bryan, great remarks!

  8. FSB general Ivan

    Banorte are some lame assclowns, not surprised at all!

    Look:

    Wall Street’s industry-funded watchdog FINRA on Tuesday fined Mexican bank Grupo Financiero Banorte $475000 for inadequate money-laundering
    https://www.reuters.com/article/mexico-banorte/mexicos-banorte-fined-in-u-s-for-lax-money-laundering-controls-idUSL2N0L217720140128

    Huge fine of nearly U.S. $2 million levied on Mexican bank after data breach
    https://www.technologylawdispatch.com/2015/09/privacy-data-protection/huge-fine-of-nearly-u-s-2-million-levied-on-mexican-bank-after-data-breach/

    Grupo Financiero Banorte Fined $2m for Failure to Notify Customers of Security Breach
    https://www.databreaches.net/mx-grupo-financiero-banorte-fined-2m-for-failure-to-notify-customers-of-security-breach/

    Not the first time!

    The breach came about during an update to Banorte’s IT systems in late 2014 and early 2015 but was not detected until sometime later. Around 20,000 accounts are thought to have been compromised, including information of past customers which should have been deleted under Mexico’s privacy laws, but contradicting reports made by the bank make it unclear what was lost.

    In Mexico, organisations that suffer a data breach must immediately notify their clients of the event. Banorte did notify the National Banking and Securities Commission (CNBV), as required under Mexican privacy laws, but then chose to inform only a number of premium customers rather than all individuals whose accounts were involved. The subsequent investigation by the CNBV found the bank in breach of data protection and privacy laws on two counts and a fine was applied.

      1. the other brian

        Just do adequate momey laundering like Pfizer an Google!

  9. ADN

    Thank you BK for an outstanding example we can use when explaining to a board that a ‘cheap’ response company may not be the best bargain.

  10. Victor

    Looks like Group-IB is trying to do damage control with sock puppet accounts in the comments of this post.

    Try harder, you’re not fooling anybody.

  11. uhhhhhhhhhh

    That forehead-line in the FBI email is so good, I actually laughed out loud.

  12. Georg

    Is the “Hacker-K1ller” a typo or someone else, or maybe an earlier alias for “Holistic-K1ller”?

  13. Jlmet

    Mexican bank admin lazy natives with 0 education about cybersecurity chingones

  14. IWasBreached

    Data is 6 years old, how do i know? because m on the list and the information clearly is from 6 years old since the email referenced m no longer using it since almost 6 years (afaicr).

    Data seem to be taken from a Call Center (probably an outsourced one, which kinda makes it frightening to think they have been sharing my data to 3rd party without my consent) mostly because the leaked data looks it was meant for verification purposes and for marketing.

  15. Kiril

    Hi Brian, thanks for your news – both this one and others over the years.
    A minor note on this one though. You’ve written ‘an auction… was fake news and harming the bank’s reputation’ but that screenshot does not mention ‘fake news’, only a ‘fraudulent post’. Guess the author of that GroupIB letter meant to say ‘your offer is illegal’ (that is, ‘and we’ll continue to work on the issue’), and did not mean ‘your claim is fake’ (which means, ‘and we don’t consider the issue serious at all’). Anyway whatever they meant, they’ve got what they’ve got.
    Also it’s probably no more correct to call GroupIB a ‘Singaporean’ company any more than, say, to call Google ‘Irish’.

  16. stranger

    it does not matter whether G-IB are russian or singaporean or marsians.

    if you, the commentators, hate russians for your own reasons – it’s your choice to publicly demonstrate this disgusting traits of your character, but if you did not get a lesson from the story – it’s your loss.

    i bet all of you have been secretly hunting for G-IB reports for years to look smart in front of your bosses and get your year-end bonuses without giving credit when it’w due…

    1. Jan Query

      Listen, few people online can be taken at face value no matter what they say, but especially if they’re making dull racist tropes of the usual order. Most of that is monkey see monkey do by casual derps as they have been socialized into abject mental poverty and this is their relegated version of high society, making insults about ethnic groups or religions on the internet. An entire generation of trolls and goblins have sprung out of this trend being under-moderated by default and as a result a large percentage of online society is pretty much worthless in terms of their shared opinions. Given all that, it does matter when you’re talking about criminal attributions of shady international crime rings to be as specific as possible in all aspects, including language, custom, quirk, grammar, word choice, naming conventions, references, any and all of that may be clues. It would be entirely pointless to assume there are not criminals of every race, color, creed, ethnicity, religion, location, and subgroup. There are. So rather than respond to the morons who make broad brush conclusions from specious tangents crafted of ignorant intent, just ignore them. They are nothing in this world but chaff being separated from what useful wheat remains. Share your mind in constructive ways as anything else is a waste or worse, just part of that feedback loop of garbage. Nostrovia.

  17. Data Security

    Data breaches are a serious concern for consumers, businesses, and anyone whose sensitive data has not yet been breached. Each year we hear about more data breaches and more news surfaces about individual’s sensitive data being stolen. Many of these cases involve well-known companies who have failed to take the necessary precautions to prevent data breaches from occurring.

  18. Alex

    Ilya Sachkov was imprisoned because he did not cooperate with the FSB. the accusation of treason is a cover.

Comments are closed.