Miami-based tech company suffers massive 1TB customer and business data leak

[HempBoosh]

Summary

Intcomex has suffered a major data breach, with nearly 1 TB of its users’ data leaked. The leaked data includes credit cards, passport and license scans, personal data, payroll, financial documents, customer databases, employee information and more. 

 

Quotes

Quote

“Intcomex internally detected and responded to a cyber attack involving some of our systems. Upon learning of the incident, we took decisive steps to address the situation and protect our systems. We immediately engaged third-party cybersecurity experts to assist us in the investigation and we have implemented additional enhanced security measures. We also notified law enforcement. We are notifying affected parties as appropriate. Services provided to our partners have not been impacted. The security of our systems and data remains a top priority.”

 

Quote

 

What data is included?

According to the leaker, the full database of the Intcomex leak included the following data:

 

Credit cards, including the full number, expiration date, CVV2, and the holder’s full name

Document scans, including US and Latin American passports, social security scans, driver license scans, and more

Personal data, such as social security numbers, dates of birth, zip codes, addresses, and more

Payroll information

Bank documents

Accounting and finance documents

Customers’ databases

Employee information

Contragents databases (although we are unsure what this means at the moment)

 

 

My thoughts

This is one of the bigger leaks I've seen this year, but I'm glad that the companies are being professional about this and addressing the issues. The amount of data leaked is also really bad, can't believe that credit card data is not secured properly. Oh, and of course the hacker was Russian

 

Sources

https://cybernews.com/security/miami-based-tech-company-suffers-massive-1tb-data-leak/

[Prodigy_Smit]

Just now, HempBoosh said:

Oh, and of course the hacker was Russian

Is this really surprising anymore?

 

1 minute ago, HempBoosh said:

The leaked data includes credit cards, passport and license scans, personal data, payroll, financial documents, customer databases, employee information and more. 

That is alot of info.

[Loote]

Spoiler

 

 

 

Did it copy background color for you? My eyes hurt.

[Phoned_]

4 minutes ago, Loote said:

 

Did it copy background color for you? My eyes hurt.

yeah i could barely read it

[Phoned_]

this is bad. Like, real bad. Frickin passports and payroll info. Stuff like that, and some hacker has access to all of that. Hopefully police get involved

[HempBoosh]

55 minutes ago, Phoned_ said:

yeah i could barely read it

Oof, sorry about that. I didn't notice because I'm using the default background. I'll try fixing it

[StDragon]

3 hours ago, valdyrgramr said:

Never dealt with them and this seems to mainly target folks south of the border.

South America, but yeah. Looks to be a distributor such as CDW and D&H. I could be wrong though.

[Pickles von Brine]

Did they not have the financial stuff and personal information encrypted? How the hell were they able to get all that? Someone was lax on security. 

[wanderingfool2]

49 minutes ago, Pickles - One of the Jar said:

Did they not have the financial stuff and personal information encrypted? How the hell were they able to get all that? Someone was lax on security. 

yea, it's pretty bad.  PCI DSS exists for a reason (and even if full compliance isn't achieved...because lets face it it is rare that a company follows it 100%, the majority of it should be treated as needed).  Encryption, keeping data separate (and having super sensitive information as secure as possible)

[Bombastinator]

Trying to figure out what the company even is, to determine possible personal involvement.

upon reading this https://www.intcomex.com/about-us/

 

it appears at least that the original purpose of the company was to export IT stuff from the US to Latin America. 

This would make them a tech company, which makes this kind of thing doubly embarrassing.

[rawrdaysgoby]

I bet ya My information is all over the place by now But I only have 5$ in my bank account sooo.... Yea.... It ain't worth your time hackers... you guys wouldn't want my identity as well I have terrible credit if you take my identity I can only say thanks creditors will come after you from now on LOL.  

[leadeater]

16 hours ago, wanderingfool2 said:

yea, it's pretty bad.  PCI DSS exists for a reason (and even if full compliance isn't achieved...because lets face it it is rare that a company follows it 100%, the majority of it should be treated as needed).  Encryption, keeping data separate (and having super sensitive information as secure as possible)

Most actively avoid having to do so by using payment gateways and processors and keep zero credit card payment information, that's what we do for everything other than our physical card payment equipment in the cafeterias and shops but those sit on dedicated VLANs and also process externally. That physical equipment has to be PCI DSS complaint though, which affects our network cabling wise and configuration wise.

 

The best option, at least in my eyes, is to avoid anything that requires PCI DSS at all costs. Literally pay more, have a higher TCO, just to not have to deal with it. Don't mess with that shit.

[wanderingfool2]

5 hours ago, leadeater said:

Most actively avoid having to do so by using payment gateways and processors and keep zero credit card payment information, that's what we do for everything other than our physical card payment equipment in the cafeterias and shops but those sit on dedicated VLANs and also process externally. That physical equipment has to be PCI DSS complaint though, which affects our network cabling wise and configuration wise.

 

The best option, at least in my eyes, is to avoid anything that requires PCI DSS at all costs. Literally pay more, have a higher TCO, just to not have to deal with it. Don't mess with that shit.

Yea, I was the one tasked to ensure compliance at one of the places...due to getting significantly better rates for credit card transactions. [Same approach though, PCI DSS complaint terminals on a separate VLAN, where the devices themselves encrypted fully before even hitting the network and sent to the gateway].  With that said, that still puts it in the class of PCI DSS - SAQ B-IP [I'll say it is unnecessarily burdensome even in cases where data isn't exposed...which is why it's rare to find a company that follows it 100%].

 

Maybe I'm wrong, but I think we can both agree that a large chunk of concepts in PCI DSS should be followed when dealing with cardholder or sensitive data (to minimize the impact like above)  [Like database encryption, network monitoring, mitigation plan in an event of a breach, changing admin passwords periodically]

[Hassan170]

On 10/15/2020 at 6:49 AM, rawrdaysgoby said:

I bet ya My information is all over the place by now But I only have 5$ in my bank account sooo.... Yea.... It ain't worth your time hackers... you guys wouldn't want my identity as well I have terrible credit if you take my identity I can only say thanks creditors will come after you from now on LOL.  

why have security when there's nothing to secure?

GENIUS!!!

[SpaceGhostC2C]

On 10/14/2020 at 6:56 AM, valdyrgramr said:

Never dealt with them and this seems to mainly target folks south of the border.

 

Most likely you haven't, but that's the worst part: you wouldn't even know. They offer B2B services, meaning they probably were handling these data on behalf of other, customer-facing companies.

In that regards it would be comparable to Equifax: they didn't have your data because you gave it to them, but because someone else passed it on to them....

[BlueChinchillaEatingDorito]

Reminds me of what happened to NCIX's servers after the company went under.