Location Tracker Firm Tile Hit by Data Breach, Hackers Access Internal Tools

The compromised data included customers' personal information like names, physical addresses, email addresses, and phone numbers. However, notably, the stolen data did not contain the precise locations of Tile devices, which are typically used for remote monitoring. The hacker claimed to have gained access to Tile's system by acquiring login credentials, possibly belonging to a former Tile employee. This allowed them to exploit tools specifically designed for initiating data access, location history, and law enforcement requests. Through these tools, the hacker could identify Tile customers using various identifiers such as phone numbers.

The hacker mentioned having broad access to Tile's systems, stating, "Basically I had access to everything." Despite this, they claimed that Tile did not respond to their demand for payment. Aside from the tools for law enforcement requests, the hacker provided screenshots of other internal Tile tools. These included tools for transferring Tile ownership, creating administrative users, and sending push notifications to Tile users. The hacker claimed not to have utilized this capability.

Security Officer Comments:
This report suggests that the company's credentials may have been leaked, sold, or compromised by a former employee, indicating a potential insider threat. Our telemetry shows that out of 3,000 reports produced by the IT-ISAC from 2021-2023, approximately 20% of them were attributed to malicious insider threats. Whether this number is perceived as high or low, the consequences of such events could be devastating for businesses and customers alike. Insider threats not only have access to internal systems but also possess knowledge of where sensitive data is located, significantly reducing the effort required to compromise it.

In recent years, we reported on several incidents that were caused by insider threats,

  • Aurora Cannabis data breach
  • Cognizant Technology Solutions data breach
  • JPMorgan Chase data breach
  • Kohl's data breach
  • USPS data breach
  • PNC Bank data breach
  • Home Depot data breach
  • Capital One data breach
  • UnitedHealth Group data breach

In this specific instance, a former employee's credentials were used, highlighting the importance of robust security measures, including thorough credential management and employee offboarding procedures.

Suggested Corrections:
Tile responded to the breach by stating that they promptly initiated an investigation upon being contacted by an extortionist claiming to have accessed their system. They confirmed that unauthorized access had occurred on a customer support platform, but they assured that no sensitive information such as credit card numbers or passwords had been compromised. They took immediate action to prevent further unauthorized access to customer data.