Full Report
The Swiss state owned Banque Cantonale de Geneve has confirmed that hackers have released confidential customer correspondences after the bank refused to pay the ransom demanded by the attackers
Analysis Summary
# Incident Report: Banque Cantonale de Geneve Data Leak
## Executive Summary
Hackers successfully breached the Swiss state-owned Banque Cantonale de Geneve (BCGE), exfiltrating over 30,000 customer emails. The attackers demanded a ransom of \$12,000, which the bank refused to pay, leading to the public release of the data. The bank ultimately chose transparency over blackmail, confirming the leak, though minimizing its critical nature.
## Incident Details
- **Discovery Date:** Implied around January 9, 2015 (when ransom demand surfaced)
- **Incident Date:** Prior to January 9, 2015
- **Affected Organization:** Banque Cantonale de Geneve (BCGE)
- **Sector:** Finance / Banking (State-owned Swiss Bank)
- **Geography:** Geneva, Switzerland
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-January 9, 2015
- **Vector:** Unknown precise vector, but involved compromising systems capable of holding customer correspondence.
- **Details:** Attackers gained access to customer data, specifically over 30,000 emails between the bank and its clients.
### Lateral Movement
- *Data not explicitly detailed in source material.*
### Data Exfiltration/Impact
- **Date/Time:** On or shortly after the ultimatum deadline (implied Jan 9-14, 2015)
- **Details:** Over 30,000 emails containing confidential customer correspondences (client inquiries sent over the internet) were exfiltrated and subsequently released publicly by the hackers.
### Detection & Response
- **How it was discovered:** The attackers revealed the breach and their actions via a Twitter account.
- **Response actions taken:** The bank issued a statement confirming the leak hours after the attacker's ultimatum passed, stating a preference for transparency over blackmail. They downplayed the risk, claiming the data was mostly obsolete, non-critical, or correspondence already known to clients.
## Attack Methodology
- **Initial Access:** Compromise leading to data access (Specifics unknown, likely network intrusion or system vulnerability exploitation).
- **Persistence:** *Not specified.*
- **Privilege Escalation:** *Not specified.*
- **Defense Evasion:** *Not specified.*
- **Credential Access:** *Not specified.*
- **Discovery:** *Not specified.*
- **Lateral Movement:** *Not specified.*
- **Collection:** Gathering of 30,000+ customer emails.
- **Exfiltration:** Transfer of collected data to attackers, followed by public release.
- **Impact:** Extortion attempt leading to public disclosure of client communication data.
## Impact Assessment
- **Financial:** Hackers demanded \$12,000 (in current exchange rates at the time). The bank refused payment.
- **Data Breach:** Over 30,000 confidential customer correspondences (emails sent over the internet) involving domestic and international clients. The bank claimed the data was not highly critical or account-related (which required multi-factor access).
- **Operational:** Potential temporary operational strain due to breach confirmation and public statement issuance.
- **Reputational:** Significant reputational risk, specifically leveraging the reputation of Swiss banks for client secrecy, with attackers explicitly taunting non-Swiss account holders regarding tax audits.
## Indicators of Compromise
- **Network indicators:** Data released via a specific Twitter account associated with the attackers.
- **File indicators:** 30,192 email files leaked.
- **Behavioral indicators:** A clear extortion attempt linked to the attackers revealing the breach publicly.
## Response Actions
- **Containment measures:** Redirecting communications to manage public relations and issuing official statements. (Specific network isolation measures not detailed).
- **Eradication steps:** *Not specified.*
- **Recovery actions:** Restoring client trust through transparency; assuring clients that account access was not compromised.
## Lessons Learned
- Hackers leveraged the historical reputation of Swiss banking secrecy to maximize reputational damage and pressure for payment, specifically targeting non-Swiss clients regarding tax authority concerns.
- The organization decided to prioritize transparency over meeting ransom demands.
## Recommendations
- Enhance data loss prevention (DLP) mechanisms to monitor and block the exfiltration of customer correspondence.
- Review and strengthen security posture specifically related to data stored on systems accessible by low-privilege pathways (given the breach involved client inquiries sent over the internet).
- Develop a robust pre-planned communications strategy for confirmed data breaches involving high-profile client data.