Cyber Incident Victim: PCM Inc.
Date:
May 2019
Location:
United States of America
Summary
A major U.S. cloud solution provider experienced a cyber incident where attackers compromised administrative credentials for managing client Office 365 accounts, enabling unauthorized access to email and file-sharing systems. The intruders targeted information facilitating gift card fraud at retailers and financial institutions, aligning with tactics observed in prior breaches targeting IT service providers. The company asserted minimal customer impact, notifying potentially affected clients and remediating the breach, which occurred amid its acquisition by another IT firm. This incident underscores cybercriminals' focus on compromising technology providers with broad client access, mirroring broader patterns of attacks against cloud infrastructure managers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-May 2019, PCM Inc., a California-based cloud solution provider with approximately 4,000 employees and over 2,000 customers, discovered a digital intrusion that compromised some client email and file sharing systems. Attackers obtained administrative credentials PCM used to manage client accounts within Microsoft’s Office 365 platform, enabling access to customer environments. The breach was disclosed by KrebsOnSecurity on June 27, 2019, following internal investigations. Sources indicated the attackers primarily sought information to facilitate gift card fraud at retailers and financial institutions, mirroring the objectives of hackers who breached Indian IT firm Wipro earlier that year. PCM had been named as a target of the same hacking group responsible for the Wipro intrusion, though investigators could not confirm whether the PCM incident was a direct continuation of that campaign or a separate attack. The Wipro attackers had established domains resembling those of its customers, a tactic not explicitly confirmed in the PCM breach but noted as part of the broader threat group’s methodology.
PCM stated the cyber incident impacted "certain of its systems" but asserted the matter had been remediated with "limited" system impact. The company claimed minimal-to-no effect on customers overall, emphasizing that only potentially affected clients were notified and assisted with resolving concerns. PCM did not respond to initial inquiries about its connection to the Wipro attacks in April 2019 but issued its statement after KrebsOnSecurity’s June report. On June 24, 2019, PCM announced its pending acquisition by Insight Enterprises, which did not comment on the breach. Cybersecurity firm RiskIQ linked the threat actor behind the Wipro and PCM incidents to a group active since 2016, targeting gift card providers for their liquid assets outside traditional financial systems. The breach exemplified a trend of attacks against cloud providers and IT consultancies managing client resources, paralleling Reuters’ contemporaneous reporting on Chinese state-sponsored "Cloud Hopper" operations against major IT suppliers from 2014 to 2017.