IT and cloud solution provider PCM has confirmed that it suffered a breach in which threat actors reportedly sought customer information that could be used to carry out a gift card fraud attack.
The intruders appear to have gained access with stolen PCM administrative credentials used to manage client accounts within Microsoft’s Office 365, according to independent security expert Brian Krebs, who first reported the attack.
The breach is believed to have been discovered in Mid-May 2019.
In a statement to KrebsOnSecurity, the US-based firm said that it had “recently experienced a cyber-incident that impacted certain of its systems.”
PCM said that its investigations into the hack “revealed minimal-to-no impact to PCM customers” and that it had made affected PCM customers aware of the incident.
Gift card fraud often involves criminals using stolen credentials to gain access to a retailer gift card. Purchases can often be made using only the gift card serial number. Criminals are increasingly turning to it because it can be difficult to trace and is lucrative in high volume.
The gift card fraud motive of the attackers appears to be similar to that of the attackers behind the Wipro data breach in April. Krebs also noted that the domains set up by the intruders appeared “visually similar to that of Wipro customers”, although it is uncertain if the two cyberattacks are directly connected.
PCM data breach: “Low hanging fruit for cybercriminals”
The PCM data breach is an example of so-called ‘island hopping’, in which cyberattackers gain access to an organisation’s network to attack separate but associated companies.
A recent investigation by Reuters revealed how Chinese cyberspies exploited vulnerabilities in external cloud computing vendors to steal troves of data.
PCM works with over 2,000 clients around the world.
Commenting on the PCM data breach, Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, said:
“Nowadays, trusted third-parties often have virtually unlimited and uncontrolled access to crown jewels of many large companies and organizations. Without sufficient capacities to invest in their own cybersecurity, they are a low-hanging fruit for cybercriminals.
“Growing competition forces many cloud providers to cut their internal costs in order to stay competitive thereby inevitably exacerbating the situation. Worse, many cloud providers don’t have sufficient capacities to detect sophisticated, long-lasting breaches and APTs [advanced persistent threats], most of which eventually remain undetected and uninvestigated. What we see in the media is just the tip of the iceberg.”
Jonathan Bensen, CISO at Balbix, said that it was “surprising” PCM did not have multi-factor authentication (MFA) enabled on their systems to “thwart the malicious third-party that falsely obtained PCM’s administrative credentials.”
He added that “by failing to secure its Office 365 with tighter controls and therefore putting its clients’ bottom lines at risk due to gift card fraud, PCM and its customers stand to suffer significant damage.
“PCM could lose some customers who have lost faith in the company to its competitors such as Zones, CDW or PC Connection. Not to mention the brand reputation and potential for lawsuits.”