Laptop computer maker Framework is notifying users that personal information was stolen in a data breach at its primary external accounting partner.
The California-based company said the incident occurred on Thursday, January 11, and was the result of a phishing attack targeting an employee at Keating Consulting.
According to the notification that Framework sent to the impacted individuals, a copy of which shared by the company with SecurityWeek, the phishing email was received on January 9.
Impersonating the Framework CEO, the attackers requested Keating Consulting’s employee to provide “accounts receivable information pertaining to outstanding balances for Framework purchases.”
The employee responded to the email on January 11, sending the attackers a spreadsheet containing the full names, email addresses, and balance owned related to a subset of open pre-orders and some completed past orders.
Framework was made aware of the incident roughly half an hour after the response email was sent to the attackers and Keating Consulting was informed of the error.
“We identified all impacted customers to enable mass-notification of the breach (this email),” the company said.
Framework said it informed Keating Consulting of the breach and the attack vector, asking them to train employees with access to customer information on phishing and social engineering attacks.
“We are also auditing their standard operating procedures around information requests. We are additionally auditing the training and standard operating procedures of all other accounting and finance consultants who currently or previously have had access to customer information,” Framework said.
The company urges users to remain vigilant of any phishing attempts that might impersonate Framework to request payment information or to deliver malicious links.
“If you are ever concerned about the validity of an email received from Framework, please contact Framework Support and we will confirm or deny the authenticity of any correspondence,” the company added.
Framework’s notification did not include details on the number of impacted individuals.