Inside Job – Coinsquare Data Theft Facilitated by Former Employee

July 2, 2020
coinsquare data theft

Canada’s leading cryptocurrency platform hacked?

Coinsquare is widely considered as Canada’s foremost platform for cryptocurrency exchange. The organization is one of the world’s leading cryptocurrency company for most known digital currencies. As a regulated exchange body of Canada’s FINTRAC (Financial Transactions and Reports Analysis Centre), Coinsquare was able to obtain a reliable and exclusive business partnership with one of the five largest banks in Canada. They owe it to their business transparency practices, risk assessment, and mitigation, including a safe and regulated environment for crypto exchange, secured with blockchain innovations.

As unfortunate as it sounds, the company got blind-sided by a former employee who deliberately stole their data from the company’s CRM (Customer Relationship Management) system. The stolen information was sold and ended up in the hands of hackers, bent on making a massive payday. According to initial reports from security researchers, there was more than 5,000 personal info that was seen by their analysis.


Validation of the stolen Coinsquare data

Several independent forensics experts validated some of the stolen data, as claimed by the hackers. The stolen information included the client’s complete names, residence phone numbers, mobile numbers, email addresses, residence addresses, including financial and cryptocurrency data. Some of the samples leaked accounts were tested for legitimacy – using the registered email addresses to check for account membership, called residence phone numbers and mobile numbers to check for the user account attached to it. As it turns out, all the accounts were verified and indeed belonged to the members.

According to one of the hackers, the original purpose of the stolen data was to sell it to the highest bidders. But they thought, since this is such valuable information, they can earn a lot more money if they use it – then comes the SIM-swapping idea. With all the personal data for clients at their disposal, it’s relatively easy to port the phone numbers to the hackers’ SIM cards, hence, taking over all their messages, phone calls, and eventually their OTP (One Time Passwords).


The company’s counteraction

Coinsquare has immediately notified law enforcement agencies and data protection offices about the breach. Canada’s Cyber Security Agency was also called upon to provide additional support in the investigation and assist law enforcement in information dissemination, especially to the victims and other affected personnel.

Since the breach, the company has amped-up its efforts and acquired additional hardware and software controls in order to prevent and avoid both internal and external threats. Authorities have also recommended more robust data management and customer management systems to increase both client and company protection.

About the author

Leave a Reply