Skyline.com Ransomware Attackers Leak 170 GB of Data
September 23, 2020 • RBS
UPDATE 10/1/2020: A total of 172.4 GB has been released by the threat actors. Risk Based Security researchers have analyzed the data and determined the leak created less risk than first claimed by the threat actors. While the files do appear to have been taken from multiple Skyline employee desktops, the volume of concerning personal or financial data amongst work related files is very low. The title of this post has been updated to reflect this new analysis.
It is currently unclear if the threat actors have more data to release, and the incident remains a cautionary tale for businesses, showing how a single cyberattack can lead to massive amounts of data leaked publicly.
At this time Skyline has not responded to our inquiries regarding the event.
Ransomware has had a massive impact on 2020’s data breach landscape, contributing towards the 27 billion records exposed in the first half of the year alone. Just two breaches were responsible for leaking 18 billion of those records. It’s an example of an alarming trend our researchers have noted, where a handful of major breaches are responsible for jeopardizing the privacy and safety of billions.
Unfortunately, we may see something similar happening now with Skyline.
Over 200 GB of Data Leaked
Skyline Displays, Inc. is a large company that specializes in exhibits for events and trade shows, which gives an indication of the type and size of data exposed. According to their website, the company has “representation in 30 countries and has served well over 100,000 clients.”
On Monday, September 21st, a threat actor claiming to represent the Lockbit ransomware hacking group shared a number of files totaling over 200 GB on a prominent Russian-speaking dark web hacking forum.
The threat actor who posted the data alleges it is from Skyline. According to sources, the files contain:
- Cleartext credit card information (Names, credit card numbers, expiration dates, CVV)
- Passport scans of US citizens
- Driver License scans
- W-9 scans
- Social Security numbers
- Bank and account information
- Payroll information
- Email addresses and phone numbers
Risk Based Security has reached out to Skyline to confirm the claim’s legitimacy, but at this time they have not responded to our inquiries. However, the forum is frequented by notorious ransomware operators, which suggests that the threat actor’s claims are valid. Our researchers are in the process of independently confirming the source of the data.
The Full Impact Is Still Unknown
The files contain many document scans, making it difficult at first pass to ascertain the full extent of the data exposed and number of individuals impacted. Regardless, the large file size implies the impact of the breach may be extensive. When compared to some of the other major data breaches analyzed by Risk Based Security, it shows that the impact of the data exfiltration may be substantial:
|Breached Organization||File Size||Number of Individuals Affected|
|Wattpad||128 GB||268 million|
|Zynga||72 GB||218 million|
|Skyline Displays||200 GB||TBD|
While file size can be heavily dependent on the type of documents included, nevertheless the unusually large size is of serious concern because it points to an alarming breach for Skyline. It is important to note that our research has previously uncovered recent ransomware events where actors are grabbing any files they can find, meaning the leak may not be entirely made up of sensitive or confidential information. Regardless of how many individuals do end up being affected, we believe that we can expect that number to disproportionately include US information, given that the majority of Skyline locations are centered in the US.
Unlike the Wattpad and Zynga incidents, the Skyline data breach contains cleartext credit card information, and since Skyline is primarily a B2B organization, this leak could have far reaching implications for Skyline’s customers.
Another Data Drop Expected
When the data was shared on September 21st, it was originally limited to forum administrators and premium users. However, the data was shared publicly the next day, September 22nd. The post also claimed that a further data archive will be shared on Thursday, September 24th.
This is a developing story and will be updated as new information comes to light.