Framework Data Breach

Crystalyne · January 11, 2024, 8:31pm

Copypasta’d from an email from FW:

Hello,

Keating Consulting, Framework’s primary external accounting partner, brought to our attention at 8:13am PST on January 11th, 2024, that one of their accountants fell victim to a phishing email that utilized social engineering tactics to obtain customer PII (Personal Identifiable Information) associated with outstanding balances for Framework purchases.

If you are receiving this email, we’ve identified that your information was impacted by this breach.

What happened?

On January 9th, at 4:27am PST, the attacker sent an email to the accountant impersonating our CEO asking for Accounts Receivable information pertaining to outstanding balances for Framework purchases.

On January 11th at 8:13am PST, the accountant responded to the attacker and provided a spreadsheet with the following information:

Full Name

Email Address

Balance Owed

Note that this list was primarily of a subset of open pre-orders, but some completed past orders with pending accounting syncs were also included in this list.

What was done to resolve the issue?

29 minutes after the external accounting consultant had responded to the attacker (8:42am PST on January 11th, 2024), Framework’s Head of Finance was made aware of the breach. At that point, he informed Keating Consulting leadership of their error, and escalated the incident to Framework leadership for immediate review and handling.

Upon escalation, we identified all impacted customers to enable mass-notification of the breach (this email).

What steps have you taken to ensure this doesn’t happen in the future?

We’ve informed Keating Consulting of this breach and attack vector and will be requiring mandatory phishing and social engineering attack training for any of their employees who have access to customer information. We are also auditing their standard operating procedures around information requests. We are additionally auditing the trainings and standard operating procedures of all other accounting and finance consultants who currently or previously have had access to customer information.

What steps should I take to protect myself given the notification of this breach?

As the information provided to the attacker includes your name, email address, and outstanding balance, we can assume that they could attempt to impersonate Framework and ask for you to provide payment information or request that you follow a link that will attempt to gather more sensitive information about you or your outstanding balance with Framework.

We will only provide an “Action Required” email when an official payment capture fails, which includes a link to the Framework website to update payment information to enable final payment capture. This email is always sent from support@frame.work. We will never request payment information to be sent directly by email. If you are ever concerned about the validity of an email received from Framework, please contact Framework Support and we will confirm or deny the authenticity of any correspondence.

We take customer information privacy seriously, and the incident and its investigation were treated with the highest priority and urgency available at Framework.

We apologize for any concern this may have caused.

CGE · January 11, 2024, 8:50pm

It’s good to see the level of transparency in this email, which I also received. However, I’m a bit confused as to why I received it. I’m reasonably certain I don’t have any balance I owe on anything, and my last order was made and paid for at the end of November, so unless the accounting syncs were quite infrequent, I’m not sure why it would be in the list.

Peter_Schofield · January 11, 2024, 10:55pm

VERY infrequent, I got the email also and i’ve not ordered anything from frame.work since 2022

Andrew_Kahn · January 12, 2024, 12:54am

If framework is looking for a CISO, I know a guy.

Morpheus636 · January 12, 2024, 1:45am

Per the Framework team:

There are two primary reasons for historical closed orders being considered to have an outstanding balance. The first is fraction of cent differences in balance between different systems and how they calculate taxes.

Another is due to interactions between systems where tax rates changed between the initial order and shipment. These don’t have customer facing impact in terms of payment due, but require handling from an accounting perspective which is why your historic or cancelled order might have been included in the list of orders affected.

Again, we take your personal information privacy very seriously and we apologize for the inconvenience or alarm this incident might have caused you.

Vectorspace · January 12, 2024, 9:18am

I received this too, for my one order, fully paid and fulfilled almost 2 years ago.

I’m quite satisfied with how Framework handled it. Esspecially, if the timeline outlined in the email is correct, that it took Framework only 3 hours from receiving notification from Keating, to notifying me (and I assume all affected users were notified at about the same time).

Keating, I’m less impressed with. The email says they will be requiring Keating employees to have phishing training, but being a financial company I would hope they already do.

I’ve worked for two different UK financial companies, and phishing training was one of the mandatory annual trainings we did.
The second company, even went as far as to regularly send out fake phishing emails to staff, to measure how many fell for it verses how many correctly reported. I think that’s quite effective because all of us expect to get phishing emails, so we’re more likely to look at an email with suspicion.

Of course it’s possible Keating already have excellent training, but no-one is perfect and it’s always possible to fool someone. The fake phishing emails I mentioned, never get a 100% good result.

Christian_Grafe · January 13, 2024, 6:46pm

The data breach is already used by scammers, but in a different way than anticipated.

Today I received a scam SMS to the mobile phone number I used for shipping my Framework 13. They contacted me under the name of the the bank I used for the payment process and tried to get me to “renew my photoTan” under a fake website posing as my bank. I happily provide additional information privately if needed.

Morpheus636 · January 14, 2024, 6:01pm

Please respond to the breach notification email with this info so support is aware.

Christian_Grafe · January 14, 2024, 6:30pm

Already did respond to that. But only got the out of office notice. So waiting for them to respond back, to give all information needed.

SoldierSvejk · January 15, 2024, 2:25pm

I experienced the same almost immediately after ordering my FW13. This was in late December. It is probably unrelated to the breach.

Vectorspace · January 15, 2024, 2:31pm

SMS telephone number was not one of the leaked data items according to Frameworks email, so this implies they had more info, or managed to connect your name/email to your phone number via some other source.

TFSho · January 15, 2024, 6:26pm

With the prevalence of Data Brokers now a days, it would be trivial for scammers to match up a name + email to a mobile number.