Who is to blame in Regeneron / Ceridian breach?

|

Date Reported:
7/26/10

Organization:
Regeneron Pharmaceuticals, Inc.

Contractor/Consultant/Branch:
Ceridian Corporation

Location:
Undisclosed/Web-based

Victims:
Current and former employees

Number Affected:
Undisclosed

Types of Data:
"names and bank account numbers"

Breach Description:
Regeneron has notified the New Hampshire Attorney General of a breach concerning unauthorized access to their payroll provider's (Ceridian Corporation) system.  Once access was gained to the system, the "hackers" attempted to redirect employee paychecks to fraudulent accounts.

Reference URL:
New Hampshire Attorney General breach notification letter

Report Credit:
The New Hampshire Attorney General

Response:
From the online source cited above:

On or about June 18, 2010, Regeneron became aware that data on file with the company's payroll provider, Ceridian Corporation ("Ceridian"), was apparently accessed by persons other than registered, authorized users.
[Evan] Is Ceridian at fault, or did the unauthorized access come from a compromised authorized account at Regeneron?

The hackers obtained unauthorized access to the Ceridian system and attempted, unsuccessfully, to redirect the paychecks of nine employees into fraudulent accounts.

Regeneron immediately informed the nine affected employees and canceled the fraudulent direct deposit accounts before any payroll funds were diverted.
[Evan] Good luck, good incident response, or maybe a bit of both.  It is always ideal if you can contain an incident before real damage is done.

In the course of investigating this matter, though, Regeneron also learned that the hackers accessing the Ceridian system may have viewed a list of employees' and former employees' names and their bank account numbers, which are included in the system for direct deposit purposes.
[Evan] Would it be a good idea for the affected employees to inform their bank, close their accounts, and open new accounts with new account numbers?

Regeneron soon will begin notifying employees by personal letter.

The letter to employees will include information on preventing identity theft and an email address and telephone number employees may contact to obtain further information about the incident.

Regeneron will also offer all employees a year of complimentary credit monitoring services.

Commentary:
I can't determine from this information if there was some flaw (or vulnerability) that was exploited in the Ceridian system.  I kind of doubt it.  This thing would probably be much bigger if there is/was.  

My guess is that this breach resulted from the compromised credentials of an authorized (HR?) Regeneron employee.  So let's assume that this was the case.  The question is then how?  Malware infection?  Poor password management (i.e. weak passwords, writing passwords down, using the same password everywhere, et al.)?  If our assumptions are correct, what do you think about the notification letter that implies a breach of Ceridian's security?

Past Breaches:
Unknown

Posted by Evan Francen at 8/2/2010 8:27 AM
Categories: Ceridian Corporation, Hack, Regeneron Pharmaceuticals
 
Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
Display comments as (Linear | Threaded)
Page: 1 of 1
  • 8/2/2010 4:04 PM Dissent wrote:
    Hi Evan,

    Ceridian reported the breach back in February. It was *their* breach and affected 1900 companies, one of which was Regeneron.

    I have no idea why Regeneron is claiming that they first found out in June, as Ceridian reported that they had notified everyone back in February.

    I contacted Ceridian on Friday to ask about Regeneron's claims to the NH AG, but haven't heard back from them yet, which is why I held off posting this one on databreaches.net. Something's weird about this because as I understand Ceridian's original report, they would have notified Regeneron's employees back then.
    Reply to this
    1. 8/2/2010 4:35 PM Evan Francen wrote:
      Ah yes.  A breach reported when I was on hiatus from The Breach Blog.  It does seem weird for Regeneron to report this to the NH AG now and claim to have found out about it in June.

      Nice work!  Thanks Dissent!
      Reply to this
      1. 8/5/2010 7:15 PM Dissent wrote:
        The plot thickens.

        Bob McMillan reports that this is a second breach involving Ceridian that started as a compromise of Regeneron and then use of their credentials to try to divert funds from the payroll account with Ceridian.

        I think the fact that I couldn't tell what they were talking about and confused it with the first incident suggests that Regeneron's report could have been more clearly written. :)
        Reply to this
        1. 8/6/2010 9:04 AM Evan Francen wrote:
          Things are never as simple as they seem, it seems.  As I read the breach notification, there are numerous indicators of a compromised account.  This is a much more popular avenue of attack than most people realize.  We have seen companies put into bankruptcy from compromised online banking credentials.  Banks are not required to reimburse business banking customers, and rarely do they (like never).

          No doubt!  Regeneron's report should have been more clearly written.  The breach resulted from an exploit of their information security controls as much, or more so than Ceridian's.
          Reply to this

Page: 1 of 1
    Leave a comment