LIVONIA, Mich.—A data breach that allegedly exposed millions of records at CU Solutions Group (CUSG) has been reported by a “cybersecurity researcher,” but CUSG is saying there is also more to the story.
The event, according to CUSG, a CUSO of the Michigan Credit Union League, was described as a “temporary vulnerability” that did not compromise credit union member data. The CUSO also alleged that the researcher, Jeremiah Fowler, requested a “bounty” related to the alleged discovery.
Cybersecurity news outlet HackRead reported that Fowler discovered the “leak” and quoted Fowler as stating 13 gigabytes of “misconfigured cloud database resembling a customer relationship management system, reportedly linked to CU Solutions Group, was left publicly accessible without any security authentication or password protection.”
Claim of Three-Million Records
The report further stated that Fowler alleged the server/data contained more than three-million records (3,125,660 in total), “including a collection of sensitive information.”
“This included over one-million email conversations, internal notes, clients’ full names, physical addresses, details about thousands of credit unions across the United States, email addresses, and plaintext passwords,” the HackRead report stated.
HackRead cited a blog post by Fowler for Website Planet in which he “detailed how he contacted CU Solutions Group for responsible disclosure, leading to the company securing the server on the same day. However, representatives of the company responded by instead attributing the misconfiguration to possible mismanagement by a third-party vendor, leaving the actual responsibility unclear.”
CUSG Responds
In response, CU Solutions Group has issued a statement in which it described the incident as a “temporary vulnerability” in its internal CRM system. The CUSO stated the incident is “not connected to any CUSG products or credit union member data. The internal CRM system was immediately investigated. CUSG does not believe any client data was actually breached or misused and the vulnerability stemming from a third-party platform was rectified within 24 hours.”
Fowler, in an email message to CUToday.info said, “The exposed environment could also allow cyber criminals to insert malicious code, ransomware or identify vulnerabilities for a future cyber-attack. (There was a ransomware file in the database).”
According to CUSG, it was notified of the vulnerability by Fowler, “a self-acclaimed ‘researcher’ who appears to access corporate systems to expose vulnerabilities, then notifies the organizations regarding their exposure. At least in the case of this incident, he also requested a ‘bounty’ to help fund his research, and then published the information in his blog, which was later picked up by a specialized publication called, ‘Hack Read.’”
CUSG went on to state “these posts can then be Google-searched by other parties including media outlets.
The CUSO said it did not agree to pay the requested “bounty.”
‘Putting Others at Risk’
“While researchers like Mr. Fowler can help remind us of the importance of good data security, the publication of his findings in ways that potentially disparage corporate brands, create a customer ‘call to action,’ and exaggerate the facts is clearly irresponsible and could place him and others at legal risk if their hacked data ends up being mishandled,” said CUSG CEO Dave Adams.
Adams added that CUSG is confident its “internal technology security. For over 30 years, CUSG has operated with the same experienced technology team and leadership that has a stellar reputation for managing IT security on behalf of its stakeholders. While all companies are exposed to the ever-growing threats of cyber-security, and ransomware, CUSG’s team constantly monitors vulnerabilities and makes corrections immediately as needed and then reports to stakeholders with transparency.”