Major United States-based Bitcoin automated teller machine (BTM) company Byte Federal has suffered a major data breach.
A Thursday filing with Maine’s attorney general shows that Byte Federal’s breach allowed the attacker to access the personal data of 58,000 customers, including 111 Maine residents. The company noticed the attack on Nov. 18, more than a month after it occurred on Sept. 30.
Venket Naga, co-founder and CEO of security-focused data storage service Serenity, told Decrypt that the incident shows the dynamic nature of constantly expanding cybersecurity threats. According to him, crypto industry firms “must adopt adaptive frameworks that evolve with emerging risks, posing risks to both the physical and underlying infrastructure involved with blockchain.”
CoinATMRadar data shows that Byte Federal operates 1,356 Bitcom ATMs in the United States. This is equivalent to about 4.3% of all crypto ATMs in the country.
The attack was reportedly a consequence of a third-party service being exploited. After detecting the incident a month later, Byte Federal decided to shut down its platform and reassured users that no funds were lost.
A joint statement from smart contract auditors at crypto cybersecurity firm Hacken Ataberk Yavuzer and Olesia Bilenka explains that the “incident occurred due to an unpatched or outdated GitLab system.” It goes on to add that “inadequate server segmentation” could be what allowed attackers to access sensitive customer data.
“It is very likely that the GitLab repositories contained sensitive credentials to access Byte Federal’s databases, which include name, birthdate, address, phone number, email address, government-issued ID, social security number, transaction activity, and user photograph information,” the auditors highlighted.
Despite the breach, the company noted that it found no evidence that customer data was actually misused or accessed. “Nonetheless, we are taking precautionary measures to ensure the security of your data and to help alleviate any concerns you may have.” the letter to customers read.
Byte Federal also noted it’s working with an independent cybersecurity team on a forensic investigation of the incident and might pursue legal action.
Byte Federal said it applied a hard reset to all customer accounts and sent a notice concerning the incident. The company also changed internal passwords, the password management system, tokens and keys to prevent further breaches.
The company urged customers to reset their login credentials. It warned that users may be asked to verify their personal information—providing more confidential data to a firm that just experienced a potential data leak.
“The Byte Federal incident is yet another example of how forcing commercial activities to retain their customers' data is the worst practice concerning their privacy,” an anonymous former Bitcoin ATM operator told Decrypt. They wanted to withhold their identity because they chose to shut down their service rather than comply with know-your-customer rules.
“In the case of cryptocurrencies, these data breaches are even more dangerous for users because they associate their personal information with a specific type of financial activity, making them easy targets for theft and fraud,” the former Bitcoin ATM operator added.
Edited by Stacy Elliott.