Cyber Incident Victim: Kroll Associates

On or around August 19, 2023, Kroll became the victim of a cybersecurity incident stemming from a highly sophisticated attack directed at a T-Mobile US, Inc. account belonging to one of its employees. The company was recently informed that the specific attack method used was a “SIM swapping” attack. In this scenario, T-Mobile transferred the employee’s phone number to the threat actor's phone at their direct request. This transfer was conducted without any authority from or contact with Kroll or the employee in question. The unauthorized transfer of the phone number provided the threat actor with a critical vector to potentially intercept communications, including multi-factor authentication codes and other sensitive notifications sent via SMS. This breach of the telecommunications provider’s security protocols was the initial entry point that facilitated the subsequent compromise.

As a direct result of the successful SIM swap, it appears the threat actor gained access to certain files stored within the compromised employee accounts. These files contained personal information pertaining to bankruptcy claimants involved in specific, high-profile cryptocurrency bankruptcy proceedings. The affected cases were identified as the matters of BlockFi, FTX, and Genesis Global Capital. The nature of the information contained within these files was sensitive, constituting personal data of individuals who had filed claims in these restructuring processes. The immediate consequence was a potential data breach exposing the personal details of these claimants, though the exact scope and specific data elements were not detailed in the initial disclosure.

Upon discovery of the incident, immediate actions were taken by Kroll to contain the breach and mitigate any further unauthorized access. The primary response involved securing the three specific employee accounts that were identified as having been compromised. This swift action was aimed at locking down the affected systems and preventing the threat actor from maintaining access or exfiltrating additional data. The company’s incident response protocol was activated to address the security lapse and to assess the full extent of the impact on data and systems. The focus was on isolating the breached accounts to ensure no other parts of the Kroll network were accessible through the same means.

Kroll has cooperated with law enforcement authorities, specifically the Federal Bureau of Investigation (FBI), and a full investigation into the incident is underway. This collaboration indicates the serious nature of the breach and the commitment to pursuing the threat actors responsible for the SIM swapping attack. The involvement of federal authorities also suggests that the incident is being treated as a criminal matter, with efforts focused on attributing the attack and understanding the full methodology employed by the cyber threat actor. The company has stated it has no evidence to suggest that any other Kroll systems or accounts beyond the three initially identified were impacted by this specific attack, indicating that the compromise was contained to a limited set of credentials and files.

In response to the incident, Kroll took steps to directly notify the individuals whose personal information was contained in the accessed files. Affected individuals, who are bankruptcy claimants in the BlockFi, FTX, and Genesis cases, were notified by email. This notification is a key component of regulatory and ethical obligations following a data security incident, ensuring that impacted parties are made aware of the potential exposure of their data. The communication allows claimants to be vigilant for any signs of identity theft or phishing attempts that might stem from this data breach. The company also used this opportunity to reiterate its official communication protocols to help individuals distinguish legitimate contacts from potential fraud attempts.

Kroll provided specific guidance to clarify what it would never ask or require claimants to do in connection with the processing of bankruptcy claims or the distribution of assets. This guidance serves as a security advisory to help prevent further victimization through social engineering or phishing attacks that might exploit the news of the breach. The firm stated it would never instruct claimants to link a cryptocurrency wallet to a website or application, nor would it ask for a seed phrase or private keys. Furthermore, Kroll confirmed it would not require the download of any software or the use of a particular wallet application. The company also emphasized that it would never request a password over email, text message, or over the phone, and it would not solicit personal identifying information, such as a birthday or social security number, over email, social media, or in any manner other than through a Court-approved process posted to its official Restructuring Administration case website or the Court’s docket.

The incident underscores the persistent threat posed by SIM swapping, a technique that targets the telecommunications infrastructure rather than directly breaching the target company's digital defenses. This method bypasses traditional cybersecurity measures by socially engineering or otherwise compromising the mobile carrier’s customer service processes to illicitly port a phone number to a device controlled by the attacker. Once control of the phone number is established, any multi-factor authentication systems relying on SMS text messages become vulnerable, allowing the attacker to potentially reset passwords and gain access to email accounts, cloud storage, and other services tied to that number.

Kroll expressed deep regret for any inconvenience or concern the situation may have caused to those affected. The company reiterated its ongoing commitment to prioritizing data security and information protection across the entire firm. This statement is part of the effort to maintain trust with clients, partners, and the community following a security event. The prioritization of safety and trust is presented as a core value, and the incident response actions are framed within this broader commitment to security. The company’s approach has been to address the incident transparently by disclosing the known facts, outlining the steps taken to remediate the issue, and cooperating with the appropriate authorities for a comprehensive investigation. The full investigation aims to provide a more complete understanding of the attack and to inform future security measures to prevent similar incidents.