The lending platform BlockFi has sent an email to all clients this morning (Tues 19 May) informing them of a data breach.
They claim the breach happened on May 14, and impacted less than half of the platform’s users, none of them being institutional clients, CEO Zac Prince has confirmed. The breach, which was isolated within an hour, did not impact customer funds.
It did however expose account activity information as well as customer email and postal addresses. American social security numbers and photos of client licenses and government-issued IDs were not exposed, the company said.
The email states the following:
“On May 14th, there was a data incident at BlockFi that exposed certain client account information for a brief period of time. While no information was accessed that would enable the intruder to access your account or your funds, we believe it is in the interest of transparency to share the following details with you, and all of our other clients who were potentially affected. Your funds, passwords, and non-public identification information are secure and no BlockFi client or company funds were impacted or at risk. No action is required by you.”
A BlockFi incident report placed on their website states that the data breach was due to a SIM card swap attack on a BlockFi employee’s phone number. The attacker also attempted to withdraw client funds on BlockFi but “was unsuccessful in doing so,” according to the report.
What is interesting to note in the incident report is that, despite admitting to email and postal addresses being exposed, no apology is made.
Data breaches are not unusual in the nascent industry. In March this year, it was reported that more than a quarter of a million of Trident Crypto Fund’s customers’ usernames and passwords had been stolen. In November 2019, derivatives giant BitMEX incited the wrath of Twitter users for a breach that impacted the majority of its users.
As for the BlockFi’s breach, the firm said it “quickly terminated the intruder’s access to BlockFi’s internal system.”
“We are constantly reviewing and improving our systems and security processes and will be accelerating efforts in a number of areas as a result of this activity,” an internal memo said. “In addition to ongoing development of our systems, we are actively researching options for us to contribute to the cybersecurity efforts of the cryptocurrency industry more broadly.”
Specifically, BlockFi will enhance the frequency of penetration testing and it has updated its system to trigger an even swifter lockdown should something similar happen in the future, CEO Prince was quoted as saying.
The breach comes at a time of rapid growth for BlockFi, and the industry as a whole. The company allegedly signed on more clients in the week of the halving than any other week in its history, adding more than 7,000 new funded accounts, which reflects the growth activity reported by South African based exchange Luno.
BlockFi is on pace to clock in $50 million in revenue generation for the next 12 months and is currently growing at ~25% month-over-month, a source added.