In this month’s digest: teenage BEC scammers, a two-year breach hiding in a water utility’s network, a compromised GitHub token, and other incidents where trust proved expensive.

Reservoir of Data

What happened: A UK water utility was fined more than £900,000, or about $1.3 million, after a phishing attack led to a personal data breach. The incident went unnoticed for almost two years.

How it happened: In 2022, data belonging to South Staffordshire Water Plc, a company that operates water networks and supplies drinking water to a quarter of the UK, was exposed online. The Cl0p ransomware group claimed responsibility for the attack. The leaked information included full names, home addresses, email addresses, phone numbers, dates of birth, customer credentials, banking details, and employee data.

The UK Information Commissioner’s Office conducted an investigation and found that cybercriminals had gained access to South Staffordshire Water’s IT systems back in 2020. The breach started with a phishing attack that enabled the attackers to deploy malware inside the company’s environment. The malware remained undetected for 20 months. Between May and July 2022, the attackers escalated their privileges within the water supplier’s network and gained domain-level control. South Staffordshire Water only discovered the incident in July 2022, after investigating performance issues in one of its IT systems.

The ICO concluded that serious cybersecurity failures at South Staffordshire Water left customer and employee data exposed for nearly two years. Among the issues identified were inadequate controls over privilege escalation, the use of outdated software such as Windows Server 2003, missing updates, poor vulnerability management, and the absence of regular internal and external security testing. Investigators also found that the company’s security monitoring covered only 5% of its IT infrastructure.

Mischief Managed – Almost

What happened: Teenagers stole $2.89 million from a US money transfer company through a business email compromise attack.

How it happened: According to police, two 19-year-olds and one 16-year-old conspired with a Malaysian hacking group. The hackers helped them set up shell companies for a BEC scheme. The teenagers also opened corporate bank accounts with DBS, a Singapore-based financial institution, to move the stolen funds.

The enterprising group used email to convince employees of an unnamed US money transfer service to send $2.89 million to one of the fraudulent corporate accounts. However, the attempt to withdraw the money raised red flags at DBS, whose staff contacted the police. Singapore’s Anti-Scam Command then reached out to Interpol, which alerted the US sender that it had been defrauded.

Police did not disclose the full attack chain, but the incident was likely linked to the compromise of corporate email accounts belonging to executives, employees, or trusted suppliers.

The teenagers were arrested. If convicted, they could face up to 10 years in prison, a fine of $500,000, or both. Online scammers, members of scam syndicates, and recruiters may also face mandatory caning, with sentences ranging from at least six to up to 24 strokes.

Token Gesture, Real Damage

What happened: Hackers breached Grafana Labs’ GitHub infrastructure and stole source code repositories.

How it happened: The attackers used a compromised access token for Grafana Labs’ GitHub environment and stole the contents of code repositories. Grafana Labs identified the source of the credential leak that led to the token compromise. The company immediately revoked the affected tokens and implemented additional security measures across its IT environment.

The CoinbaseCartel group claimed responsibility for the breach. After the attack, the threat actors attempted to extort Grafana Labs, demanding payment in exchange for not disclosing the stolen data. The company refused to pay the ransom.

An initial investigation found no evidence that customer or client data had been affected. Grafana Labs has not disclosed which repositories were stolen. However, according to The Register, the attackers may have accessed proprietary code. The company’s investigation is ongoing.

Romance Scam, Corporate Bill

What happened: A New York man helped “romance” scammers defraud a company of $212,000.

How it happened: An employee at High Point Cattle Company received an email that appeared to come from contractor Lewiston Sales, notifying the company of updated banking details. The employee did not spot the fraud and sent two wire transfers totaling $212,685.75. Several days later, however, the real Lewiston Sales contacted the company to say it had never received the money. It turned out the contractor had not changed its banking details and had not sent the emails.

High Point Cattle Company reported the fraud to police. The investigation showed that the sender’s email address looked almost identical to the real address of a Lewiston employee. The only difference was that the letter “m” in the legitimate address had been replaced with the letters “r” and “n” in the fraudulent one. Placed side by side, “r” and “n” looked like “m,” which is why the employee missed the deception.

Police found that the company’s money had been routed to several accounts belonging to a New York man named Michael McPherson. Investigators contacted him, and he admitted that the bank accounts were his. He said he had opened them to help a woman he met on a dating site transfer a large inheritance.

McPherson told police that, at the woman’s request, he had opened personal bank accounts with Bank of America, Chase, Discover, Cross River Bank, and US Bank so she could send money to them. He also said she helped him create a fake company called MCP Energy LLC. Whenever funds arrived in his accounts, the woman instructed him to transfer the money elsewhere or withdraw it from ATMs.

McPherson never met his online love interest in person, but their romantic relationship quickly turned into a business arrangement. In exchange for opening accounts and following her instructions, he received a used car, had his credit card debts paid off, bought new clothes, and purchased new glasses.

He admitted to police that the woman’s behavior seemed suspicious, but said he could not cut off contact once things had gone too far. By then, he understood that he had become an accomplice and did not know how to avoid punishment.

McPherson’s first court hearing is scheduled for July 8. It remains unclear whether investigators have identified the mysterious online woman – or whether she existed at all. So far, no woman has been charged in connection with the High Point Cattle Company fraud case.

Hackers Know Best

What happened: Retailer 7-Eleven suffered a data leak following a cyberattack.

How it happened: The major convenience store chain confirmed that, in the spring, a hacking group gained access to its confidential data. The breach followed the compromise of an IT system used by the company to store franchisee documents.

7-Eleven detected suspicious activity in its infrastructure on April 9 and immediately took steps to contain the incident. The company also apologized in advance to customers and partners for any inconvenience the incident might cause.

7-Eleven did not disclose details of the investigation or the number of people affected by the data breach. However, ShinyHunters, the hacking group that claimed responsibility for the incident, alleged that it had breached the company’s Salesforce environment and stolen more than 600,000 records containing personal data and corporate information related to 7-Eleven.

Less than a week after announcing the breach, ShinyHunters published a 9.4 GB archive of documents on the dark web. 7-Eleven had previously refused to pay a ransom for the data.

Creative Accounting in the Marketing Department

What happened: A marketing employee at Hollywood-based Hot Gold Fish Corporation defrauded his employer of $63,000.

How it happened: George Louis Leyva joined the marketing department of Hot Gold Fish Corporation, a company that creates pop-art-style portraits. Soon after being hired, he selected several marketing agencies as contractors for company projects and signed agreements with them worth tens of thousands of dollars.

The employer later discovered that all of the marketing agencies selected by Leyva actually belonged to him, meaning he had effectively paid himself using Hot Gold Fish Corporation’s money. In total, the company says he defrauded it of $63,000 and reported the matter to police.

Hot Gold Fish Corporation claims that Leyva recommended the agencies because he said he had worked with them before, while concealing the fact that he owned them. Company representatives also said that, during an internal investigation, they found that the former employee had attempted to counterfeit the company’s intellectual property. Leyva allegedly created copies of images owned by Hot Gold Fish and even launched a website resembling the company’s official page.

When the scheme came to light and he was dismissed, Leyva deleted the fake website. That – along with the police investigation – may have saved his next potential employer from hiring a “contractor” who turned out to be a knockoff Hot Gold Fish.