Central Securities notifies stockholders of data breach that leaked SSNs; ransomware gang claims responsibility

Central Securities Corporation this week confirmed it notified an undisclosed number of people about an April 2024 data breach that compromised names, Social Security numbers, stockholder account numbers, and addresses.

Ransomware group Underground claimed responsibility for the attack on June 10, 2024, saying it stole 42.8 GB of data. Third-parties report the ransom demand was $3 million.

CSC has not verified Underground’s claim, which further states the group stole company reports, employee salaries, photos, private correspondence, and shareholder reports.

The notice (PDF) states, “Our investigation determined that an unauthorized third party gained access to Central Securities’ internal systems on or about April 17, 2024, seemingly through a legitimate account of one of our vendors that had authorized access to our systems. The unauthorized third party then used our vendor’s access to remove certain data from our systems around May 20, 2024.”

We do not yet know who the vendor was, how many people were affected by the breach, or how attackers breached CSC’s network. Comparitech contacted Central Securities for comment and will update this article if it responds.

CSC is offering victims 24 months of free credit monitoring via Experian.

Who is Underground?

Underground is a new ransomware group that first started posting claims on its data leak site in May 2024. It mainly distributes its malware through phishing attacks.

Comparitech researchers have tracked three confirmed attacks claimed by Underground, plus 13 unconfirmed claims. Its other targets include Skender Construction and A-Line staffing solutions. Both companies are based in the USA.

Ransomware attacks on US finance

Ransomware attacks on finance companies can compromise private financial data and disrupt operations that lead to delays and data loss. Aside from data theft, ransomware often encrypts affected systems so they can’t be used until a ransom is paid to decrypt them. Ransomware groups demand additional ransom be paid in exchange for not selling or publicly releasing stolen confidential data.

We logged 30 confirmed ransomware attack on US financial companies in 2024 so far, affecting 28.5 million records. In 2023, we recorded 58 such attacks affecting 10.9 million records.

The average ransom across all these attacks was $1.28 million.

Other recently confirmed breaches in this sector include accounting firms Wright, Moore, DeHart, Dupuis & Hutchinson, and Feldstein & Stewart.

Another 96 ransomware attacks on US finance companies have been claimed by ransomware gangs in 2024, but not acknowledged by targets.

About Central Securities Corporation

Central Securities Corporation is an investment company listed on the NYSE ($CET) with $1.5 billion in net assets, according to its latest shareholder report.