Debt acquisition and credit servicing firm, Cabot, has been the target of a cyberattack and 394,000 files of data has been stolen, including material related to its direct customers and its loan book, the High Court has heard.
Cabot Financial (Ireland) Ltd, Cookstown Court, Old Belgard Road, Tallaght, Dublin, claims there are "persons unknown" behind the attack along with a UK incorporated web hosting provider called Aeza International Ltd.
Last month, Cabot was granted an injunction requiring Aeza and the "persons unknown" to deliver up some 356 GB of data initially removed from Cabot's IT system between September 17th and 18th last.
Cabot was also granted an anonymisation order and its initial application was heard in private (in camera) by Mr Justice Brian Cregan.
Cabot successfully argued that this was to prevent the alleged cyber attackers seeking a ransom for the return of the data.
It also argued that if the alleged attackers were given notice of the making of any order by the court, this could lead to widespread dissemination of the material.
Cabot has more than 100,000 current customers and if the data stolen includes historic customers, it could be multiples of that figure, Cabot director Sean Webb said in an affidavit.
When the case again came before the court later in October, Mr Justice Oisín Quinn lifted the anonymisation and in camera order.
On Thursday, when it then came before Mr Justice Mark Sanfey, Johnathan Newman SC, for Cabot, said following the initial one-side only represented application before Mr Justice Cregan on October 9 last the known defendant (Aeza) had been served with the court papers by registered post. However, there had been no appearance before the court by Aeza.
Counsel said when the matter was before Mr Justice Quinn, that judge had concerns about service of the papers on persons unknown who are only identified by an IP (internet protocol) address.
The judge made certain orders in relation to them but it had not been possible to serve the order and counsel sought to continue the order in order that this could be done.
Mr Justice Sanfey directed that as well as serving them with the papers by post they could also be informed by email of the making of the court order. He said the case could come back next month when the court will hear an application for the extension of the injunction until the full case is heard.
In his affidavit grounding the injunction application, Cabot director Mr Webb said the firm holds personal and corporate information on its IT system along with identification documentation, corporate, commercial and employee data.
In the last two weeks of September, Cabot became concerned at suspicious activity on its systems and a number of technical steps were taken to respond, he said.
It then engaged an incident response team to commence a thorough investigation supported by cyberattack expert Mandiant and external counsel.
On October 4th, Mandiant reported a data theft. It was discovered that on September 17th, a command was made to back up files to an external IP address.
Mr Webb said that between September 17th and 18th, "event logging" on its system recorded the backup utility accessing 393,984 files. He said the "threat actors" had accessed the system and removed around 356.65 of data to the external IP address.
Cabot says it notified the Central Bank and the Garda National Cyber Crime Bureau of the matter.
Mr Webb said the impacted data includes information relating to direct customers' debt acquired by Cabot and customers of financial institutions that Cabot provides credit servicing activities to.
It includes loan book data relating to loans it purchased and contact details. There is a risk it could contain material relating to health or marital relationship in instances where a customer writes explaining the circumstances giving rise to repayment arrears, he said.
There was also sensitive data relating to employees as well as data relating to pricing, redundancies, business opportunities and internal corporate confidential data.
Mr Web said Mandiant had concluded that the IP address is associated with Aeza which has an address in Barking Road, London. From a Google Street View search, it appears to be the office of another firm that merely provides secretarial services to Aeza, he said.
The only director of Aeza is Mr Marat Timurov with an address in Uralsk, Kazakhstan. Aeza's website describes it as a web hosting provider and it has a UK contact number and an email address.
