Portland email marketing provider Customer.io said five more customers have been affected by an insider leak of email addresses to an "external bad actor" after an initial report by NFT marketplace OpenSea of a security lapse.
The employee who took the data has been terminated and reported to law enforcement, the company said in a statement. The employee in question was a senior engineer and had access to the data as part of their job. The addresses were all sent to the same “external bad actor,” according to the company.
Customer.io said the actions were limited to the one employee.
The company said it launched “a comprehensive security review” and has already made several changes including:
- The intrusion detection system and immutable logging has been improved to provide more proactive notifications of data exfiltration.
- Access to production systems and data stores has been further restricted.
- If accessing a customer account, Customer.io staff can no longer export customer data.
On June 30, news emerged that a Customer.io employee had given email information about OpenSea customers to “an unauthorized external party.” In turn, OpenSea alerted its customers to a potential for increased phishing or other scams using that data.
External security breaches are frequently the topic when discussing corporate cybersecurity, but insider threats are also of concern. An insider threat is when someone inside an organization uses authorized access for malicious purposes, according to the U.S. Cybersecurity and Infrastructure Security Agency.
CISA has information online about definitions of threats and resources for companies looking for guidance on cybersecurity insider threats.
According to security researcher the Ponemon Institute and security company Proofpoint, insider threat incidents rose 44% over the past two years.
Customer.io declined to name the other companies affected. Here is the company’s full statement:
After further investigating the compromised OpenSea email addresses incident, we have learned today that the email addresses from five other customers were also provided to the same external bad actor.
We know this was a result of the deliberate actions of a senior engineer who had an appropriate level of access to perform their duties, and provided these email addresses to the bad actor. This action was limited to this single employee.
Despite the many precautions taken to protect our customer data, the employee’s role enabled specific access to these email addresses. This employee has been terminated, all access has been revoked and we have reported this employee to law enforcement.
The protection of our customer’s data is our first priority and this employee’s actions let us all down. We have alerted the five other customers to this information and sincerely apologize to them.
We launched a comprehensive security review of our access and security policies to prevent an insider threat from happening again and have already made the following changes:
-Our intrusion detection system and immutable logging has been improved to provide more proactive notifications of data exfiltration.
-Access to production systems and data stores has been further restricted.
-All access and authorization keys for critical services were reviewed and rotated.
-Access to the data in customer’s accounts by Customer.io employees is now opt-in as a setting (and turned off by default). Customers can now grant Customer.io’s support team access to their account for a limited time and only if they choose to.
-If accessing a customer account, Customer.io staff can no longer export customer data.
-We’re refreshing and will be retraining all staff on our security policies.
We continue to review and audit our compliance policies and are committed to make further changes with high priority to ensure protection of customer data.
After consulting with our third-party cyber investigations firm we have not found evidence of any other customers having had their email addresses compromised. We do not expect to learn any additional information since this incident resulted from the actions of a single employee, who had legitimate access to these email addresses as part of the employee’s job.