Cyber Incident Victim: Cortina Holdings
Date:
Jun 2023
Location:
Singapore
Summary
Cortina Holdings experienced a cybersecurity incident where an unauthorized actor gained access to one of its servers and encrypted its data. The company took immediate containment steps, including isolating the affected server and engaging external IT consultants. A partial database screenshot was subsequently published online by a threat actor, and the retailer began notifying affected parties whose data was compromised. Authorities, including the police, were informed of the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 6, 2023, luxury watch retailer Cortina Holdings publicly disclosed via a bourse filing that it had been subjected to a cybersecurity incident. The attack involved an unauthorized actor gaining access to one of the group’s servers and subsequently encrypting the data stored on it. The exact date of the initial intrusion was not specified in the public announcement, but the company confirmed that upon detection, immediate steps were taken to isolate the compromised server from its network to prevent further spread or damage. This action was part of the initial containment effort to control the scope of the incident.
The group engaged its external information technology consultant to assist with both containment and remedial efforts following the discovery of the attack. This involved forensic analysis to determine the extent of the breach and to work on recovering the encrypted data. Concurrently, Cortina Holdings formally reported the incident to the relevant authorities, including the Singapore Police Force and the Personal Data Protection Commission (PDPC), in compliance with regulatory obligations and to initiate an official investigation into the matter.
Although the company’s initial filing did not specify the exact nature or the full scope of the data that was compromised, it acknowledged that data belonging to various parties was affected. The group committed to notifying all affected individuals and entities, with the process set to begin on June 7, 2023, the day after the public disclosure. This notification effort was a direct response to the confirmed access of personal data by the threat actor.
Evidence of a data leak emerged publicly through a Twitter user operating under the name "Bassterlord." This individual published a partial screenshot purportedly showing a database belonging to Cortina Holdings. The attacker claimed that the data originated from a customer feedback form used by the company. Furthermore, the threat actor asserted that Cortina Holdings had been contacted but had refused to engage in discussions, suggesting a potential extortion attempt or negotiation surrounding the stolen data. This public disclosure by the attacker provided external confirmation that data exfiltration had occurred alongside the encryption of the server.
The incident did not result in any immediate reported disruption to the company's trading activities, as Cortina Holdings shares closed flat at S$3.66 on the day of the announcement. The primary impact was confined to the compromised server and the data it contained. In response to the breach, the company announced its intention to conduct a comprehensive review of the incident and its systems. This post-incident review aims to assess the vulnerabilities exploited and to strengthen security measures to ensure the data entrusted to the company is better protected in the future. The focus of this review is on preventing similar incidents and reinforcing the overall security posture of the organization.