News Modular laptop maker Framework contacts customers after phishing scheme hooks internal spreadsheet packed with personal data

[Admin]

Framework has been busy emailing customers whose data has been leaked in the wake of a recent phishing attack on its primary external accounting partner. However, the data leaked isn't highly sensitive.

Modular laptop maker Framework contacts customers after phishing scheme hooks internal spreadsheet packed with personal data : Read more

 

[USAFRet]

 

[Alvar "Miles" Udell]

According to the email shared on the Framework community forum, the firm's primary external accounting partner received an email that they thought was from the Framework CEO on January 9, 2024.

Framework plans to require employees at external consultants and service providers to have phishing and social engineering attack training.

 

[CelicaGT]

I guess it's a good thing I haven't purchased one (yet). Also, why is Security Training not REQUIRED at every level of every corporation? (A rhetorical question.) It's not "If" but "When", and proper training can both reduce the instances AND the fallout. I am a field technician at a huge multinational, I have access to some moderately sensitive materials but nothing critical or personal. I have to do -some- kind of course every quarter or so. Often it's just beating down on the same social engineering tricks but I think it's important for employees to keep these things in mind and the training does that. It's also quick, to the point and easy to understand. On top of that we also have a very responsive Cybersecurity team, and monthly contests to catch the planted phishing emails/texts etc. They also notify -all users- of breaches, and what was done and learned from those breaches. We treat security exactly as we treat safety.

*As my old boss used to say of safety, "If you think safety is expensive you should try paying for an accident". The same applies to cybersecurity.

 

[USAFRet]

Also, why is Security Training not REQUIRED at every level of every corporation?

Even in places where it IS required, these things happen.

Even among people at stratospheric levels of access, that should know better.

 

[CelicaGT]

Even in places where it IS required, these things happen.

Even among people at stratospheric levels of access, that should know better.

Absolutely it will, but as noted the instances are less, and often less damaging. We do all kinds of tracking whether it's an actual accident (safety) or a security breach of some kind. Each instance is analyzed and "Lessons Learned" emails are sent out and discussed at weekly meetings. Names are never named, but positions are, even upper management. It's this kind of feedback that has the most effect imo.

This is all in stark contrast to what we had 10 years ago, when I had full access to every technical drawing to every product we had (BILLIONS USD of IP), even prototypes and other protected works. I EVEN HAD PRINT ACCESS. My laptop had full permissions, I could install whatever I wanted and use any external storage I wanted. Personal use of corporate email was allowed for crying out loud. A certain nation-state threat actor got into our systems and had a ball. Weird.

 

[ezst036]

A spreadsheet?

That alone should be a tip-off. Never, ever, fill spreadsheets with customer data.

Coming from Framework this is particularly heartbreaking. I have wanted a build your own laptop for decades upon decades, and if Framework goes down that might close the only road which leads to full 100% modularity similar to how we build desktops.