Cyber Incident Victim: Financial Services Information Sharing and Analysis Center
Date:
Feb 2018
Location:
United States of America
Summary
A financial industry cyber threat-sharing organization experienced a phishing incident when an employee's compromised credentials allowed attackers to distribute further phishing emails to select members and affiliates. The impact was limited due to rapid detection and reporting by recipients. The targeted employee lacked multi-factor authentication (MFA), which was in the process of being implemented across all organizational assets at the time. Following the breach, MFA deployment was accelerated and Office 365 security enhancements were applied. Leadership confirmed the attack was non-targeted and unsophisticated, emphasizing that critical systems like the member portal remained protected by existing MFA controls. The incident highlighted ongoing security awareness efforts while underscoring vulnerabilities in less fortified operational areas.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 28, 2018, the Financial Services Information Sharing and Analysis Center (FS-ISAC) experienced a phishing incident originating from a compromised employee email account. An FS-ISAC employee clicked on a phishing email, resulting in the theft of their login credentials. An unidentified threat actor used these credentials to access the employee’s email account and crafted a new phishing email containing a PDF with a link to a credential-harvesting site. This malicious email was sent to select FS-ISAC members, affiliates, and employees. The attack did not target the organization’s member portal or core data repositories, which were protected by multifactor authentication (MFA). FS-ISAC members who received the phishing email quickly identified and reported it as suspicious, limiting the attack’s spread. The organization confirmed the incident was contained with minimal fallout, attributing the breach to a routine, non-targeted phishing campaign rather than a sophisticated or deliberate attack against the institution.
FS-ISAC responded by notifying members via an alert detailing the compromise and confirming no member data was exposed. The organization disclosed it had already been planning an MFA rollout for all email platforms prior to the incident but accelerated implementation after determining the breached employee’s account lacked MFA protection. FS-ISAC upgraded its Office 365 email environment to enhance visibility and security controls. CEO Bill Nelson acknowledged the breach highlighted vulnerabilities in “softer targets” like unprotected email accounts, despite regular security awareness training for staff. The organization emphasized its commitment to reinforcing security protocols in collaboration with its board of directors, while noting the incident underscored that even cybersecurity-focused entities remain susceptible to basic phishing tactics exploiting trusted communication channels.