Bitcoin in front of charts showing crypto exchange third-party breach

Crypto Exchange Gemini Hit by a Third-Party Breach Exposing Customer Banking Information

Crypto exchange Gemini has notified authorities of a third-party breach that affected its Automated Clearing House (ACH) service provider and leaked the personal and banking information of 15,000 customers.

Founded in 2014, New York-based Gemini Trust Company, LLC. is a cryptocurrency exchange platform with a custodian bank and owns a cryptocurrency coin. With $9 billion in assets, it reports over $189 million in annual revenue and employs over 1,185 people.

The cryptocurrency exchange platform says the third-party cybersecurity incident impacted only a “subset of some Gemini customers’ banking information.”

Crypto exchange Gemini’s third-party breach leaks banking information

According to a data breach notification filed with California’s Attorney General, an authorized party breached the crypto exchange’s partner’s internal collaboration tool between June 3 and June 7, 2024. They accessed the account holder’s full name, bank account number, and routing number for ACH fund transfers.

“Unfortunately, information including your name, as well as the bank account number and routing number you provided to Gemini for transferring funds, may have been affected,” the company told its customers.

However, customers’ dates of birth, physical addresses, social security numbers, email addresses, phone numbers, usernames, and passwords were not impacted. The Gemini third-party breach affected at least 15,000 customers. The crypto exchange started notifying impacted individuals on June 24, almost a month before alerting regulatory authorities.

By timely notifying the impacted victims, the company enabled them to take immediate actions to protect themselves from targeted cyber attacks and fraud. Additionally, it signals the crypto exchange’s commitment to transparency and openness in protecting personal information and can prevent potential lawsuits.

“We are committed to providing relevant information as quickly as possible. We appreciate your patience and support as we continue working around the clock with our partner to resolve this issue,” Gemini said.

Meanwhile, Gemini says the third-party breach did not affect its internal systems or compromise its customers’ account information.

“No Gemini account information or systems were impacted as a result of this third-party incident, and the incident did not affect the security of any Gemini systems,” the company said.

Third-party breach contained

The cryptocurrency exchange believes the third-party breach is contained. It also hired external cyber forensics experts to investigate the incident, implemented additional containment measures, and notified law enforcement authorities.

While Gemini has no evidence of customer impact, the crypto exchange advised customers to remain vigilant by monitoring their credit reports and financial statements and notifying their banks and law enforcement of any suspicious activity. The crypto exchange also advised impacted individuals to enable multi-factor authentication to protect their online bank accounts from takeover attacks or request new account numbers in extreme cases.

Gemini has not disclosed the identity of the vendor or threat actor responsible for the third-party breach or whether it has received any ransom demands.

“This incident is another reminder of the need for enterprises to invest in more mature digital identity management practices for third-party vendors/suppliers,” said Jim Routh, Chief Trust Officer at cybersecurity company Saviynt. “Threat actors continue to target access to the software supply chain through third parties and the compromise of third-party credentials. Enterprises using conventional third-party governance controls without mature digital identity management capabilities will continue to suffer impacts from these types of attacks.”

Gemini has suffered another third-party breach in the past 24 months. In 2022, the crypto exchange suffered a breach linked to a phishing campaign that impacted 5.7 million customers.

Although the cyber attack did not appear to target Gemini specifically, cybercriminals frequently target cryptocurrency exchanges to steal funds or extort victims.

On July 18, 2024, India’s crypto exchange WazirX suffered a cyber attack attributed to suspected North Korean hackers Lazarus Group, losing over $230 million worth of cryptocurrency.