This week we’re focusing on three new incidents in the cybersecurity sphere involving Cloudflare, CitiBank and Johnson Controls International. From a suspected nation-state cyber attack on Cloudflare's internal systems to allegations of negligence against Citibank and the aftermath of a ransomware attack on Johnson Controls, these developments reveal the complex landscape organizations navigate in preserving cybersecurity. Join us as we delve into the intricacies of each incident.
Here are the details regarding the latest cybersecurity news:
Cloudflare has revealed a sophisticated cyberattack on its internal Atlassian server by a suspected nation-state actor. The breach, discovered on November 23, exposed the company's Confluence wiki, Jira bug database, and Bitbucket source code management system.
The attackers initially infiltrated Cloudflare's self-hosted Atlassian server on November 14. "They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil," said Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas in a statement.
Despite extensive remediation efforts concluding on January 5, ongoing work includes software hardening and credential management.
While customer data and services remained unaffected, Cloudflare believes the attack aimed to gain in-depth insights into its global network's architecture, security, and management. The incident follows a series of cybersecurity events, including a thwarted attempt in August 2022 and a breach involving Okta in October 2023.
New York Attorney General Letitia James has filed a lawsuit against Citibank, accusing the financial institution of neglecting to defend customers against cyberattacks and scams and refusing to reimburse victims for millions stolen by fraudsters.
"Banks are supposed to be the safest place to keep money, yet Citi's negligence has allowed scammers to steal millions of dollars from hardworking people," said Attorney General James in a press release.
The lawsuit contends that Citibank's denial of compensation to fraud victims violates the Electronic Fund Transfer Act (EFTA), which mandates reimbursement for unauthorized electronic transactions. James argues that, as Citibank provides online and mobile banking for wire transfers, it should offer similar protections to victims of electronic credit or debit card fraud.
The complaint alleges that Citibank exploited exceptions in regulations, leading to denied reimbursement claims and substantial financial losses for New York consumers. The lawsuit seeks restitution for victims, penalties, and disgorgement to address Citibank's alleged deceptive practices. Citibank asserts it closely follows regulations and employs proactive measures to prevent wire fraud.
Johnson Controls International, a multinational conglomerate specializing in industrial control systems, security, and safety equipment, has disclosed that a ransomware attack in September 2023 resulted in expenses totaling $27 million and a data breach.
Dark Angels, the ransomware gang behind the attack, claimed to have stolen over 27 TB of confidential data and demanded a $51 million ransom. The company confirmed the cyber incident in a quarterly report filed with the U.S. Securities and Exchange Commission (SEC), detailing unauthorized access, data exfiltration, and ransomware deployment.
Expenses associated with the response and remediation amounted to $27 million. Johnson Controls anticipates further costs as they assess the extent of data stolen and collaborate with cybersecurity experts. The company asserts that unauthorized activity has been contained, with digital products and services fully operational.