Data Processing Delays
Incident Report for cielo24
Postmortem

Executive summary

Incident summary

  • On September 13, 2022, an unauthorized and unknown intruder gained partial access to Cielo24’s production system
  • The system was partially inaccessible between Monday, September 12, 2022, from 2:44 PM PT (GMT -07:00) - Tuesday, September 13, 2022, 7:35 AM PT (GMT -07:00)
  • The system was fully recovered and the incident closed Tuesday, September 13, 2022, 7:35 AM PT (GMT -07:00)
  • We continue to monitor the system and have had no indication of further problems, security or operational, following the conclusion of this incident

What data or information was involved:

  • We have positive evidence, described below, that no data was extracted from the environment
  • We found no secondary data to suggest that data was extracted from the environment
  • We have checked for data modification and found none
  • We feel confident that client data was not modified or extracted during this incident

Breach Information

  • Total Number of Customers Where Data was Affected: 0
  • Date(s) Breach Occurred: 09-12-2022, 09-13-2022
  • Date(s) Breach Discovered: 09-12-2022
  • Description of the Breach: Microservice breach impacted the main database
  • Information disclosure: None currently in evidence

Timeline

  • 09-12-2022, 02:45 PM PST - The cloud logs show the start of the incident
  • 09-12-2022, 03:01 PM PST - Ops team reported the system issues
  • 09-12-2022, 03:03 PM PST - GCP notified cielo24 about unusual activity
  • 09-12-2022, 03:10 PM PST - The DevOps team started investigating the issue
  • 09-12-2022, 03:40 PM PST - System credentials were rotated and the system was partially operational
  • 09-13-2022, 04:00 AM PST - Identified the exact security breach and launched remediation
  • 09-13-2022, 05:45 AM PST - Initiated database restoration as a precautionary measure
  • 09-13-2022, 07:40 AM PST - The system returns to fully functional operation

Root cause analysis

The attacker attacked one of our microservices and then gained partial access to our database.  The aim of the breach seemed to be to use the server's computational resources and not the data itself; the attacker used the servers to run cryptocurrency mining software.

Data loss analysis

Our ops team examined the database logs for the entire time interval, and no unusual database commands were run during this time; this is positive evidence that client data was not exfiltrated during the incident.  We also examined the network and storage input/output logs during this time interval, and there was no unusual i/o on the system at the storage or network level, which there would have been had there been large-scale data extraction.  Finally, we compared the database against its historical values, and no data discrepancies were seen, indicating that no client data was modified during the attack.

Our response 

Currently, we have taken the following additional measures to protect our systems:

  • Revoked and recreated all database credentials and SSH keys
  • Completed an audit of all system credentials, ensuring that all are managed and rotated
  • Instituted additional application-layer and network-layer protections
  • Utilized our automated environment management to completely destroy and re-create the database environment
  • Expanded the regular cycling of credentials to include any and all users for microservices or reporting tools
  • Expanded our use of third-party monitoring and alerting tools to ensure around-the-clock alerting for a more immediate response time

Post-Incident Activity

Following the incident, our cyber-security team has been actively monitoring other resources to ensure we don’t have additional follow-up breaches. We have not. We continue the investigation of our database for data damage or loss. No loss or breach of personal or other customer data has been detected. The cyber security team has reinforced our database. The investigation of where the breach was initiated is still ongoing. The investigation regarding any data breach is conclusive that no customer or other data was impacted in any way. 

Contact

Please be assured that cielo24 is committed to protecting customer privacy and data.  We regret that this incident transpired and apologize for any inconvenience it may have caused you. If you have further questions regarding this matter, please do not hesitate to contact us. Hours of operation are Monday - Friday 8:00 AM PT - 6:00 PM PT (GMT -07:00).

Nicole Flynn

cielo24 Privacy Officer 

DataSecurity@cielo24.com

805.450.4040

Posted Sep 19, 2022 - 14:13 PDT
Resolved
Initial report on this incident available at https://go.cielo24.com/hubfs/922Report.pdf
Posted Sep 13, 2022 - 08:43 PDT
Monitoring
A fix has been implemented and we are monitoring the results.
Posted Sep 13, 2022 - 07:45 PDT
Investigating
We observed a new anomaly in the system and we are investigating it.
Posted Sep 13, 2022 - 06:37 PDT
Update
We are continuing to monitor for any further issues.
Posted Sep 12, 2022 - 15:52 PDT
Monitoring
A fix has been implemented and we are monitoring the results.
Posted Sep 12, 2022 - 15:52 PDT
Identified
The issue has been identified and a fix is being implemented.
Posted Sep 12, 2022 - 15:24 PDT
Investigating
Our data processing infrastructure is running behind which is causing inaccuracies in the reporting tools. No data has been lost and the system should be caught up shortly.
Posted Sep 12, 2022 - 15:17 PDT
This incident affected: Portfolio, cielo24.com, and API.
Current Status Powered by Atlassian Statuspage