Cyber Incident Victim: Automatic Funds Transfer Services
Date:
Feb 2021
Location:
United States of America
Summary
A ransomware attack by the Cuba gang targeted Automatic Funds Transfer Services (AFTS), a payment processor and verification vendor used by multiple U.S. cities and agencies, leading to widespread data breaches. The attackers stole unencrypted files containing sensitive information such as financial documents, customer correspondence, vehicle registration records, utility billing details, and scanned checks from affected entities including municipal governments and the California DMV. The incident disrupted the vendor's operations, rendering its websites inaccessible, and exposed data risks escalated as the threat actors attempted to sell stolen information with potential public release if unsuccessful.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A ransomware attack targeted Automatic Funds Transfer Services (AFTS), a payment processor and address verification service used by numerous municipalities and agencies across California, Washington, and other US states, around February 3, 2021. The cybercrime group known as 'Cuba Ransomware' executed the attack by infiltrating AFTS’s network, exfiltrating unencrypted files, and deploying ransomware to encrypt systems. This human-operated attack involved prolonged network access, during which the threat actors stole credentials and sensitive documents before triggering encryption. The compromise severely disrupted AFTS’s operations, rendering its website and payment processing services inaccessible. A public-facing message on AFTS’s site cited “technical issues” as the cause of the outage. Cuba Ransomware later advertised the stolen data—including financial documents, bank correspondence, account records, balance sheets, and tax files—on their data leak site, threatening to release it freely if no buyers emerged.
The incident triggered data breach disclosures from multiple AFTS clients, revealing varied exposure scopes. The California Department of Motor Vehicles confirmed unauthorized access to vehicle registration records containing names, addresses, license plate numbers, and vehicle identification numbers (VINs). In Washington, the City of Kirkland reported no exposure of Social Security numbers (SSNs) or credit card data, while Lynnwood disclosed compromised billing information but excluded SSNs and driver’s licenses. Monroe warned of potential leaks involving utility account details and scanned paper checks, and Redmond cited possible exposure of names and addresses. Seattle acknowledged a third-party breach via AFTS, and the Lakewood Water District noted risks to billing data and scanned checks. The Port of Everett indicated possible exposure of personal or credit information. AFTS’s prolonged service disruption hindered payment processing for these entities, though no ransomware payment or data release was confirmed at the time of reporting.