Full Report
On July 10, 2025, we discovered that we were the target of a cybersecurity incident and that files were encrypted in our virtual back-office environment that supports the shared back-office functions of both US Tiger and TradeUP. As soon as we became aware of this incident, we promptly engaged legal counsel to provide legal advice for an investigation into the incident, who in turn engaged a cybersecurity firm to conduct a forensic investigation. The investigation determined that some files were copied by an unauthorized third party from our virtual environment between July 8, 2025, and July 9, 2025. Notably, the investigation indicated that no intrusion occurred within the TradeUP production environment, which is segmented, and customer facing trading operations were not impacted. We conducted a robust review of the data to identify individuals whose information may have been involved and worked to obtain addresses and notify individuals as quickly as possible after completing the review on April 17, 2026.
Analysis Summary
# Incident Report: US Tiger Securities & TradeUP Ransomware and Data Exfiltration
## Executive Summary
In July 2025, US Tiger Securities identified a cybersecurity incident involving the encryption and exfiltration of files within a virtual back-office environment. An unauthorized third party accessed the system, copying sensitive data belonging to approximately 26,985 individuals before deploying encryption. While the back-office environment was compromised, technical segmentation prevented the attackers from impacting the TradeUP production trading environment.
## Incident Details
- **Discovery Date:** July 10, 2025
- **Incident Date:** July 3, 2025 – July 9, 2025
- **Affected Organization:** US Tiger Securities Inc. (and shared services for TradeUP)
- **Sector:** Financial Services
- **Geography:** New York, USA
## Timeline of Events
### Initial Access
- **Date/Time:** July 3, 2025
- **Vector:** External system breach (Hacking)
- **Details:** Unauthorized access was gained to the virtual back-office environment that supports shared functions for both US Tiger and TradeUP.
### Lateral Movement
- **Details:** The threat actor moved through the virtualized environment, accessing file storage areas linked to back-office operations. Administrative or shared environment vulnerabilities likely facilitated movement between US Tiger and TradeUP shared resources.
### Data Exfiltration/Impact
- **Date/Time:** July 8, 2025 – July 9, 2025
- **Details:** The investigation confirmed that files were copied by an unauthorized third party during this window. Following exfiltration, the attackers encrypted files within the virtual back-office environment.
### Detection & Response
- **Discovery:** July 10, 2025, upon identifying file encryption.
- **Response Actions:**
- Engaged legal counsel (Norton Rose Fulbright).
- Retained a third-party cybersecurity firm for forensics.
- Conducted a data review to identify affected parties (completed April 17, 2026).
- Issued formal notifications on May 15, 2026.
## Attack Methodology
- **Initial Access:** External hacking (specific vector like VPN/Phishing not disclosed).
- **Collection:** Gathering files from the shared virtual back-office environment.
- **Exfiltration:** Transfer of data to an unauthorized third-party location between July 8-9.
- **Impact:** Data encryption (Ransomware) causing localized disruption to back-office functions.
## Impact Assessment
- **Financial:** Costs associated with 24 months of credit monitoring for 26,985 individuals; forensic and legal fees.
- **Data Breach:** Compromise of personal identifiers for 26,985 customers (Names and other sensitive personal identifiers).
- **Operational:** Disruption to virtual back-office functions; however, production trading operations remained functional.
- **Reputational:** Breach notification required by Maine Attorney General and other regulators; potential loss of client trust.
## Indicators of Compromise
- **Network indicators:** [No specific IPs or URLs provided in the disclosure; would typically include connections to C2 servers or exfiltration sites.]
- **File indicators:** Encrypted file extensions within the virtual back-office environment.
- **Behavioral indicators:** Unusual data transfer volumes on July 8 and July 9, 2025.
## Response Actions
- **Containment measures:** Isolation of the virtual back-office environment to prevent spread to the production environment.
- **Eradication steps:** Forensic investigation to identify the point of entry and remove unauthorized access.
- **Recovery actions:** Deployment of 24 months of Experian IdentityWorks credit monitoring for affected residents; setup of a dedicated call center.
## Lessons Learned
- **Effective Segmentation:** The segmentation of the TradeUP production environment was successful in preventing a total business shutdown.
- **Review Lag Time:** The time between discovery (July 2025) and notification (May 2026) suggests that the data review process for identifying sub-populations in unstructured data is a significant manual bottleneck.
## Recommendations
- **Enhanced Monitoring:** Implement EDR (Endpoint Detection and Response) and DLP (Data Loss Prevention) tools specifically within virtualized back-office environments to flag large-scale data copying.
- **MFA Implementation:** Ensure all external-facing systems facilitating access to the virtual environment require robust Multi-Factor Authentication.
- **Backup Integrity:** Verify that back-office backups are immutable and stored off-network to ensure rapid recovery from encryption events without negotiating with threat actors.