[BreachExchange] Risk startup LogicGate confirms data breach

Wed Apr 14 10:33:42 EDT 2021

https://techcrunch.com/2021/04/13/logicgate-risk-cloud-data-breach/

Risk and compliance startup LogicGate has confirmed a data breach. But
unless you’re a customer, you probably didn’t hear about it.

An email sent by LogicGate to customers earlier this month said on
February 23 an unauthorized third party obtained credentials to its
Amazon Web Services-hosted cloud storage servers storing customer
backup files for its flagship platform Risk Cloud, which helps
companies to identify and manage their risk and compliance with data
protection and security standards. LogicGate says its Risk Cloud can
also help find security vulnerabilities before they are exploited by
malicious hackers.

The credentials “appear to have been used by an unauthorized third
party to decrypt particular files stored in AWS S3 buckets in the
LogicGate Risk Cloud backup environment,” the email read.

“Only data uploaded to your Risk Cloud environment on or prior to
February 23, 2021, would have been included in that backup file.
Further, to the extent you have stored attachments in the Risk Cloud,
we did not identify decrypt events associated with such attachments,”
it added.

LogicGate did not say how the AWS credentials were compromised. An
email update sent by LogicGate last Friday said the company
anticipates finding the root cause of the incident by this week.

But LogicGate has not made any public statement about the breach. It’s
also not clear if the company contacted all of its customers or only
those whose data was accessed. LogicGate counts Capco, SoFi and Blue
Cross Blue Shield of Kansas City as customers.

We sent a list of questions, including how many customers were
affected and if the company has alerted U.S. state authorities as
required by state data breach notification laws. When reached,
LogicGate chief executive Matt Kunkel confirmed the breach but
declined to comment citing an ongoing investigation. “We believe it’s
best to communicate developments directly to our customers,” he said.

Kunkel would not say, when asked, if the attacker also exfiltrated the
decrypted customer data from its servers.

Data breach notification laws vary by state, but companies that fail
to report security incidents can face heavy fines. Under Europe’s GDPR
rules, companies can face fines of up to 4% of their annual turnover
for violations.

In December, LogicGate secured $8.75 million in fresh funding,
totaling more than $40 million since it launched in 2015.