Statement on Email/Data Breach
As promised in our previous communications, we can now report more details about the exposure of client records and share what we know. We are working with both internal and external investigators to help understand what happened, and we have been in contact with law enforcement.
This is what we have learned so far:
1. It now appears that on May 29, 2018 at 23:51 PDT, a malicious actor gained access to our account at a third-party customer relationship management (CRM) system. The attacker used a pre-existing username and password of one of the administrators within the account, and as a result, the breach was not noticed.
2. The CRM system contained contact records for 7,170 members of our community. These included data elements like name and email addresses for community members. No password or financial information was stored in the CRM system.
3. The malicious actor sent an email through the CRM system to all contacts, pretending to be RightMesh.
4. The email included a fake Ethereum address and encouraged people to contribute to this fake address.
5. The email was spotted and a disclaimer was quickly published, reminding the community to use only the official contribution procedure and to beware of others soliciting funds in email or social media.
6. Unfortunately, two (2) contributors submitted funds to this fake address for a total of 42 ETH.
As soon as the issue was discovered our internal security team began investigating and we went into lockdown mode on our CRM and other systems. Bitcoin Suisse was informed immediately, and our communications plan was activated. A statement was put out on various RightMesh social media channels and updated as the situation unfolded. When the data breach was detected, a decision was made to send a final email to warn of the scam attempt being made. This was done manually without using the CRM system. Unfortunately, we rushed this, and as a result, it was sent out with email addresses contained in the “to” field instead of the “bcc” field. This also should not have happened, and we apologise to our community.
So where does this leave things now?
1. We have been in contact with law enforcement and we will continue to cooperate with them.
2. We will continue to work with our internal and external investigators so we can more fully understand what happened, what attack vectors were used, and how we can better harden our systems. When we have verifiable information, we will continue our practice of open communication and share this with you.
3. We are reaching out to the 2 contributors who submitted ETH to the wrong address (we have been able to ascertain with accuracy who they are), and we will allocate RMESH tokens to them from our own resources.
4. Our investigations will continue and we intend to share our experiences and lessons with the community so others can learn to defend themselves better.
5. We will get busy building. You have entrusted us with your contributions and have asked us to execute our shared vision.
The team at Bitcoin Suisse have confirmed that there was no infiltration or breach of the Bitcoin Suisse systems or the RightMesh Smart Contracting system. This breach was limited to contact records that were contained within our third-party CRM system.
Having this happen is deeply painful for us. Our team and our community are the greatest assets we have. We worked incredibly hard to be prepared and then to experience malicious thieves using our systems to try to steal from our people hurt us at a core level.
While the entire team feels terrible about this, we understand that as leaders the ultimate responsibility starts and ends with Chris and me. Chris and I extend our deepest personal apologies for any troubles this may have caused you all.
If you wish to know how any of this impacted you personally, please email me at john@rightmesh.io or Chris at chris@rightmesh.io.
We look forward to continuing our journey with each of you as a part of our fantastic community working towards a more connected world.
Be well,
John Lyotier, Chris Jensen
Co-Founders
RightMesh AG
