A class-action lawsuit was filed against Intuit, a software company, after its email marketing service was hacked and cyber criminals stole cryptocurrencies from Trezor users.
The hackers deployed a phishing attack on March 26 and gained entry into the crypto wallets that are sold by Trezor, a Czech company, according to a federal lawsuit filed in the U.S. District Court, Northern District of California in San Jose, California.
The lawsuit blames Intuit and Rocket Science Group LLC, a subsidiary which operates Mailchimp, but not Trezor. The lawsuit was filed by Alan Levinson, an Illinois man who said $87,000 worth of cryptocurrencies were stolen by hackers from the account.
Intuit is accused of “failing to take adequate and reasonable measures to ensure that its data systems were protected” for Trezor account holders. Mailchimp’s email accounts were allegedly accessed by the hackers when an employee clicked on a malicious link, the lawsuit said.
The hackers reportedly gained access when one of its employees clicked on a malicious link in an email, according to the suit.
“Defendants fell victim to one of the oldest cybertricks in the book,” Levinson claims in the lawsuit.
Intuit’s spokesperson declined to comment. The company said its security team learned about a bad actor on March 26 attempting to access an internal tool used by employees for customer support and account administration, according to a blog post written Siobhan Smyth, chief information security officer at Mailchimp.
“The incident was propagated by a bad actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised,” she wrote.
Mailchimp said its internal investigation revealed that 319 Mailchimp accounts were viewed and “audience data was exported from 102 of those accounts,” Smyth wrote. “Our findings show that this was a targeted incident focused on users in industries related to cryptocurrency and finance.”
Phishing attacks continue to be a “serious problem” for companies in all industries since attackers use it as their primary strategy to steal “legitimate credentials and gain access to cloud infrastructure and customer data,” Hank Schless, senior manager, security solutions at Lookout, a San Francisco-based security service edge provider, told TheStreet.
Attackers now are seeking out more discreet ways instead of obvious hacks to steal data, he said.
Crypto Easy Target
Cryptocurrency companies and wallets are often hacked since many of the companies are relatively young and could lack advanced security practices, Scheless said.
“From the consumer side, there seems to be a new coin or exchange being released every day, so they might operate with less caution in hopes of getting in on the next big thing in crypto,” he said. “Attackers use this against them to trick them with phishing campaigns.”
Hackers are fans of crypto because stealing and hiding the funds is easy and hard to track.
Keeping Customer Data Secure
Securing sensitive customer data should be the number one priority for every company no matter what industry they are working in, Schless said.
“Your customers also expect you to keep their data secure,” he said. “With the universal focus on personal data protection, brand loyalty can be tightly tied to whether the consumer feels like an organization is doing enough to keep their personal sensitive information safe.”
Several data privacy and compliance laws focus on securing customer data and violating them can “lead to detrimental fines and reputational damage for any organization,” Schless said.
Who Is To Blame?
Depending on the hack, it can be difficult to tell who is ultimately responsible for a breach, data theft or other compromise, Mike Parkin, senior technical engineer at Vulcan Cyber, an Israeli provider of SaaS for enterprise cyber risk remediation, told TheStreet.
The situation becomes even more complicated when phishing or other social engineering attacks are used and determining the responsible party is even more challenging, he said.
Customer email addresses should be protected and companies should be liable when they are leaked, but the targets who “fall for social engineering attacks aren’t entirely blameless,” Parkin said.
All companies use third parties for various operations and end products, but they are “always responsible for what happens with the data and the access others have,” Chris Pierson, CEO of BlackCloak, an Orlando, Fla.-based executive digital protection company, told TheStreet.
“They have to ensure the right privacy and cybersecurity controls are in place,” he said. “This vendor assurance is critical for ensuring that data is protected, information is used how it is intended, and operations run smoothly.”
Since security is rarely a binary issue, liability remains a complex area after a cyber attack, Andrew Barratt, vice president at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services, told TheStreet.
“One area that is often overlooked is the impact of cascading, or supply chain attacks, where a vendor is compromised solely for access to their data or access to their customer’s infrastructure,” he said.
Other Legal Issues for Intuit
Intuit also operates TurboTax, QuickBooks, Credit Karma and Mint. The company is facing other issues for its TurboTax software. The Federal Trade Commission sued the company on March 29 for claiming that consumers could file their taxes via TurboTax for “free.” The FTC said the claim is deceptive and wants the company to halt its ads for “free” products immediately.
In 2020, over two thirds of people filing their taxes were not able to use TurboTax’s free product, the FTC said.
“The Commission alleges that the company’s ubiquitous advertisements touting their supposedly “free” products—some of which have consisted almost entirely of the word “free” spoken repeatedly—mislead consumers into believing that they can file their taxes for free with TurboTax,” the FTC said. “In fact, most tax filers can’t use the company’s “free” service because it is not available to millions of taxpayers, such as those who get a 1099 form for work in the gig economy, or those who earn farm income.”
“TurboTax is bombarding consumers with ads for ‘free’ tax filing services, and then hitting them with charges when it’s time to file,” said Samuel Levine, Director of the Bureau of Consumer Protection.
