Online safety platform Aura has disclosed a data breach resulting from a phone phishing attack targeting one of its employees.
The phishing attack, the company says, provided the attackers with access to the employee’s account for approximately an hour.
“Upon discovery, Aura immediately terminated access to the account and activated its incident response plan, engaged external cybersecurity and legal experts, and notified law enforcement,” the company said in an incident notice.
The attackers, it says, accessed roughly 900,000 records, most of which represent names and email addresses stored in a marketing tool “used by a company Aura acquired in 2021”.
The compromised information, the company says, includes the names, email addresses, addresses, and phone numbers of roughly 20,000 current and approximately 15,000 former customers.
“No Social Security numbers, passwords, or financial information were compromised,” Aura’s notice reads.
Sensitive customer information, the company explains, is stored encrypted, and access to it is highly restricted.
“Aura’s systems have been purpose-built to limit the potential exposure of customer information in the event of a breach, including organizational, technical, and physical safeguards that worked as designed in this incident,” the notice reads.
Aura has started notifying the impacted customers and will provide them with the necessary support, but claims these individuals are not exposed to “significantly elevated” risk.
The company did not say when the attack occurred or who might be responsible for it. SecurityWeek has emailed Aura for additional information on the matter and will update this article if the company responds.
Based in Burlington, MA, Aura provides consumer cybersecurity solutions such as identity theft protection, fraud protection, and network and device protection.
Related: Robotic Surgery Giant Intuitive Discloses Cyberattack
Related: Security Firm Executive Targeted in Sophisticated Phishing Attack
