Tech

Transmit Security, Authentication Company Used by Banks, Hacked

The breach impacted email addresses, passwords, phone numbers, and other sensitive information, according to a researcher mentioned in a breach notification obtained by Motherboard.
Piggy banks.
Image: PM Images

This week a cybersecurity company called Transmit Security, that focuses on providing corporate clients with tools to securely log users into different services, notified customers of a data breach at the firm. The breach impacted over a thousand email addresses, passwords, phone numbers, and other sensitive information, according to a researcher mentioned in Transmit Security's breach notification message. Transmit Security denied passwords were impacted in a follow-up email.

Advertisement

Transmit Security works with a number of large banks, including TD Bank and the First International Bank of Israel.

The customer notification message says that a security researcher contacted some of Transmit Security's customers on Monday and reported unauthorized access to the data, according to a copy of the message obtained by Motherboard.

Did you receive the Transmit Security breach notification? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

"Based on information provided by the researcher it seems that the attackers gained access to NextCloud, a file sharing support-system through which Transmit distributes mainly binaries to customers," the message reads. Transmit Security has shut down its NextCloud system in response, the message adds.

As well as the email addresses and personal information, the breach also impacted source code, binaries and emailed communications shared between Transmit Security and clients, the message adds referencing the researcher. In a statement, Craig Currim, head of field engineering for Transmit Security, said source code for the Transmit Security software was not leaked.

The message said that application and customer data from clients themselves is not affected.

Transmit Security left stealth in 2017 with $40 million in self-funding.

Update: This piece has been updated to include comment from Transmit Security.

Subscribe to our cybersecurity podcast, CYBER.