Cyberattack on debt acquisition firm Cabot involved theft of 394,000 data files, court hears

Cabot Financial claims there are ‘persons unknown’ behind the attack

Cabot has more than 100,000 current customers and if the data stolen included historic customers, it could be multiples of that figure, Cabot director Sean Webb said in an affidavit.
Cabot has more than 100,000 current customers and if the data stolen included historic customers, it could be multiples of that figure, Cabot director Sean Webb said in an affidavit.

A cyber attack targeting acquisition and credit servicing firm Cabot involved theft of some 394,000 data files, including material related to its direct customers and its loan book, the High Court has heard.

Cabot Financial (Ireland) Ltd, Cookstown Court, Old Belgard Road, Tallaght, Dublin, claims there are “persons unknown” behind the attack along with a UK incorporated web hosting provider called Aeza International Ltd.

Last month, Cabot was granted an injunction requiring Aeza and the “persons unknown” to deliver up some 356 GB of data initially removed from Cabot’s IT system between September 17th and 18th last.

Cabot was also granted an anonymisation order and its initial application was heard in private (in camera) by Mr Justice Brian Cregan.

READ SOME MORE

Cabot successfully argued that this was to prevent the alleged cyberattackers seeking a ransom for the return of the data. It also argued that if the alleged attackers were given notice of the making of any order by the court, this could lead to widespread dissemination of the material.

Cabot has more than 100,000 current customers and if the data stolen included historic customers, it could be multiples of that figure, Cabot director Sean Webb said in an affidavit.

When the case again came before the court later in October, Mr Justice Oisín Quinn lifted the anonymisation and in camera order.

On Thursday, when it then came before Mr Justice Mark Sanfey, Johnathan Newman SC, for Cabot, said the known defendant (Aeza) had now been served with the court papers by registered post. However, there has been no appearance before the court by Aeza.

Counsel said that when the matter was before Mr Justice Quinn, that judge had concerns about service of the papers on persons unknown who are only identified by an IP (internet protocol) address. The judge made certain orders in relation to them but it had not been possible to serve the order and counsel sought to continue the order so this could be done.

On Thursday, Mr Justice Sanfey directed that as well as serving them with the papers by post they could also be informed by email. He said the case could come back next month when the court would hear an application for an extension of the injunction until the full case is heard.

In his affidavit grounding the injunction application, Cabot director Mr Webb said the firm holds personal and corporate information on its IT system along with identification documentation, corporate, commercial and employee data.

In the last two weeks of September, Cabot became concerned at suspicious activity on its systems and a number of technical steps were taken to respond, he said.

It then engaged an incident response team to commence a thorough investigation supported by cyberattack expert Mandiant and external counsel.

On October 4th, Mandiant reported a data theft. It was discovered that, on September 17th, a command was made to back up files to an external IP address.

Mr Webb said that between September 17th and 18th, “event logging” on its system recorded the back-up utility accessing 393,984 files. He said the “threat actors” had accessed the system and removed around 356.65 of data to the external IP address.

Cabot says it notified the Central Bank and the Garda National Cyber Crime Bureau of the matter.

Mr Webb said the affected data included information relating to direct customers’ debt acquired by Cabot and customers of financial institutions that Cabot provided credit servicing activities to.

It includes loan book data relating to loans it purchased and contact details. There is a risk it could contain material relating to health or marital relationship in instances where a customer writes explaining the circumstances giving rise to repayment arrears, he said.

There was also sensitive data relating to employees as well as data relating to pricing, redundancies, business opportunities and internal corporate confidential data.

Mr Web said Mandiant had concluded that the IP address is associated with Aeza which has an address in Barking Road, London. From a Google Street View search, it appears to be the office of another firm that merely provides secretarial services to Aeza, he said.

The only director of Aeza is Marat Timurov, with an address in Uralsk, Kazakhstan. Aeza’s website describes it as a web-hosting provider and it has a UK contact number and an email address