Online trust and identity management giant Entrust confirmed a security breach by a suspected ransomware gang that accessed data from the company’s internal network.
The Minneapolis, Minnesota-based company discovered the intrusion on June 18 and began notifying potential victims on July 6.
However, the incident only grabbed the security news headlines when cybersecurity researcher Dominic Alvieri tweeted a screenshot of the security notice sent to Entrust customers.
Entrust security breach potentially impacted critical organizations
Entrust is a solutions provider for various organizations, including US government agencies, such as the Department of Homeland Security (DHS), Treasury, Health & Human Services, Energy, Agriculture, and Veterans Affairs.
The company claims about 10,000 customers in 150 countries, including high-profile private and public companies like Microsoft and VMWare.
These organizations entrust the security vendor with critical services such as identity management, user and machine authentication, issuance of IDs, secure online payments, and encrypted communications.
Coincidentally, the Entrust security breach occurred less than six months after another authentication vendor, Okta, suffered a security breach in March 2022. The incident impacted 366 customers, with the Lapsus$ ransomware gang shouldering the responsibility.
“While Entrust is a major — and highly credible — player in the global identity and encryption market, recent cyber incidents highlight the difficulties of staying ahead of relentless and well-funded cybercriminals,” Alon Nachmany, CISO of AppViewX, said.
“The harsh reality that no one is spared in cyber attacks. Even today’s cybersecurity giants are fallible, and cybersecurity vendors are just as susceptible to becoming a victim of costly breaches.”
Threat actors exfiltrated files in the Entrust security breach
Entrust acknowledged that data was stolen from its internal systems, but the nature of the information swiped remains a mystery.
“We have determined that some files were taken from our internal systems. As we continue to investigate the issue, we will contact you directly if we learn information that we believe would affect the security of the products and services we provide to your organization,” Entrust CEO Todd Wilkinson disclosed in the security breach notification.
The security firm said it took additional measures to enhance its security and engaged law enforcement agencies and a third-party cyber forensics firm.
“Upon learning of the issue, we informed law enforcement and began working with a leading third-party cybersecurity firm. Though our investigation continues, we have no evidence of ongoing unauthorized access to our systems and are implementing additional safeguards to help enhance our security.”
Its preliminary investigation determined that the attack did not compromise its operations and products’ safety.
“While our investigation is ongoing, we have found no indication to date that the issue has affected the operation or security of our products and services, which are run in separate, air-gapped environments from our internal systems and are fully operational.”
Ransomware gang bought security credentials used in Entrust security breach
No ransomware gang has taken responsibility for the June 18th Entrust breach. However, AdvIntel CEO Vitali Kremez told BleepingComputer that a well-known ransomware gang purchased the security credentials used in the attack.
Entrust has not confirmed if the security breach was a ransomware attack. Likely, negotiations are ongoing, and the ransomware gang has requested anonymity as part of the deal.#Security breach will likely have serious implications since Entrust, the online trust and #identitymanagement company, serves high-profile clients, including US government agencies, Microsoft, and VMware. #respectdataClick to Tweet
Ransomware attacks can cause devastating reputational damage, with some companies opting to pay to prevent the publication of their data on the dark web.
Entrust would likely take this route to prevent the ransomware gang from leaking its high-profile clients’ data on the internet.