NSO Stuck in the Eye of the Tornado Pointing the Finger to Its Clients
Last updated September 17, 2021
Hackers have posted a set of 42 GB of data allegedly belonging to CEFCO, a gas and convenience store chain operating 220 stores across six states in the United States. The details that we saw posted on “Marketo Leaks” include details relevant to clients, partners, and even competitors, with financial documents, contractual agreements, account lists, budget reports, NDAs, and various other interesting stuff involved in the so-called evidence pack. This pack is a whopping 42GB of data that is shared as proof of the breach, free for anyone to download.
CEFCO is a subsidiary of ‘Fikes,’ which includes brands like ‘Fikes Fuels,’ ‘CORD Financial Services’ (ATM solutions), ‘Group Petroleum Services,’ and ‘Digital Network Solutions.’ Still, the cyberattack appears to affect only Cefco. At least this is the entity the actors are starting their extortion from, so we can’t rule out anything yet. We have sent an email to the company to ask for a comment and whether the shared data is valid or not, but we have not heard back from them yet.
“Marketo” is a new leaked data marketplace that was launched in April 2021, and from what we can see from using the specialized dark web intelligence tools provided by KELA, it is just now starting to gain traction. Other victims presented on the same platform include T&T Canada, the Municipal Court of Princeton, the Komatsu Group, AXIS Communications, Lime Energy, and SIEMENS Gamesa Corporation. Of course, we were unable to confirm any of these breaches, although some have been reported on other media.
If you are a customer of CEFCO, you may want to contact the firm and ask about how this alleged breach affects you. The actors claim to hold customer data, including payment or credit card details, but we don’t know for sure yet.
Also, CEFCO has recently launched a “rewards app,” so maybe data from there is involved too. Most CEFCO stores are located in Texas, Louisiana, Alabama, Mississippi, and Florida, and while none of these states have strong data protection laws in place, they still require breaches to be reported to the corresponding Attorney General Offices.