- Home
- / Insights
- / Case Studies
- / Data Theft and Extortion Incident at a Professional Services Firm
Data Theft and Extortion Incident at a Professional Services Firm
-
June 11, 2024
-
A high-profile firm in the professional services industry suffered a data theft and extortion incident. The threat actor stole client data via a social engineering attack and demanded ransom to prevent the data from being published. The client retained FTI Cybersecurity to investigate the nature and scope of the incident, including determining the root cause, the extent of the intrusion, and the full scope of the threat actor’s activity.
Our Impact
FTI Cybersecurity experts provided around-the-clock support in multiple client offices until investigation, threat hunting, and containment efforts had been completed. The investigation determined the root cause and full scope of the threat actor’s activity, and negotiation efforts resulted in the return of exfiltrated data. Through multiple workstreams, FTI Cybersecurity helped the client communicate with law enforcement and identified, with high confidence, the threat actor group responsible for the incident.
Our Role
FTI Cybersecurity responded onsite and within hours, identified and disabled the compromised corporate user account and collected the compromised device for forensic analysis. FTI Cybersecurity experts blocked malicious activities and indicators of compromise (“IOCs”), revoking user account privileges on affected accounts, and conducted a comprehensive threat hunt through the client’s environment. FTI Cybersecurity gathered evidence and analyzed the tactics, techniques and procedures (“TTPs”) performed by the threat actor, which provided valuable insights that informed the decision-making process during ransom negotiations.
FTI Cybersecurity examined exfiltrated data and conducted a one-to-one file reconciliation based on a review of both host-based and network event logs, file sizes, and other information obtained during the investigation. Following the appropriate laws and best practices, FTI Cybersecurity engaged in negotiations with the threat actor to determine proof of data exfiltration, payment terms, and data decryption, and facilitated the return and destruction of exfiltrated data.
Published
June 11, 2024
Key Contacts
Senior Managing Director, Global Head of Cybersecurity