Modular laptop maker Framework contacts customers after phishing scheme hooks internal spreadsheet packed with personal data

Framework laptop
(Image credit: Framework)

Framework has been busy emailing customers whose data has been leaked due to a recent phishing attack (h/t Computer Base). Personal Identifiable Information (PII) of Framework customers with outstanding balances for device purchases was shared by the firm’s primary external accounting partner, which fell victim to a phishing attack. Customers named in the leaked spreadsheets will receive the email reproduced in full at the above link. However, we are relieved to note that the leaked PII is claimed to consist solely of the following details: full name, email address, and the balance owed.

The well-regarded modular laptop maker has made the human errors behind the data leak and its full scope very clear. To ensure customers are fully informed, Framework has provided an incident timeline, discusses what has been done to resolve the issue, says how it will avoid any similar goofs in the future, and advises customers who were named in the leaked data.

(Image credit: Framework)

Framework's data leak should provide another cautionary tale regarding cunning phishing attacks. According to the email shared on the Framework community forum, the firm's primary external accounting partner received an email that they thought was from the Framework CEO on January 9, 2024. Social engineering tactics were used to obtain a spreadsheet that contained customer information. Luckily, the scope of the information was quite limited (as noted in the intro), with no passwords, payment methods, or other potentially sensitive data.

According to its customer communications, Framework's reaction to the leak was pretty rapid. Within half an hour of the accountant responding to the attacker (on January 11), Framework's Head of Finance was made aware of the breach. He informed the accountancy business of the security error and escalated the incident to Framework leadership. Subsequently, all affected customers were identified and notified with complete details about the leak.

Lessons learned

Importantly, Framework plans to require employees at external consultants and service providers to have phishing and social engineering attack training. Additionally, it will audit the training and operating procedures of such partners.

Because their data was shared with the attackers, customers who received the email mentioned above have been warned that the phishers could potentially try to impersonate Framework to gather sensitive information. Thus, concerned customers should make sure any email that seems to be from Framework has arrived via the support@frame.work email address. Moreover, please remember that Framework will “never request payment information to be sent directly by email.” Customers can confirm the authenticity of any Framework communication via the customer support portal if in doubt.

Last but not least, as well as being pleasantly transparent about the phishing incident, Framework has apologized to all customers affected.

TOPICS
Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

  • USAFRet
    Reply
  • Alvar "Miles" Udell
    According to the email shared on the Framework community forum, the firm's primary external accounting partner received an email that they thought was from the Framework CEO on January 9, 2024.
    Framework plans to require employees at external consultants and service providers to have phishing and social engineering attack training.

    Reply
  • CelicaGT
    I guess it's a good thing I haven't purchased one (yet). Also, why is Security Training not REQUIRED at every level of every corporation? (A rhetorical question.) It's not "If" but "When", and proper training can both reduce the instances AND the fallout. I am a field technician at a huge multinational, I have access to some moderately sensitive materials but nothing critical or personal. I have to do -some- kind of course every quarter or so. Often it's just beating down on the same social engineering tricks but I think it's important for employees to keep these things in mind and the training does that. It's also quick, to the point and easy to understand. On top of that we also have a very responsive Cybersecurity team, and monthly contests to catch the planted phishing emails/texts etc. They also notify -all users- of breaches, and what was done and learned from those breaches. We treat security exactly as we treat safety.

    *As my old boss used to say of safety, "If you think safety is expensive you should try paying for an accident". The same applies to cybersecurity.
    Reply
  • USAFRet
    CelicaGT said:
    Also, why is Security Training not REQUIRED at every level of every corporation?
    Even in places where it IS required, these things happen.

    Even among people at stratospheric levels of access, that should know better.
    Reply
  • CelicaGT
    USAFRet said:
    Even in places where it IS required, these things happen.

    Even among people at stratospheric levels of access, that should know better.
    Absolutely it will, but as noted the instances are less, and often less damaging. We do all kinds of tracking whether it's an actual accident (safety) or a security breach of some kind. Each instance is analyzed and "Lessons Learned" emails are sent out and discussed at weekly meetings. Names are never named, but positions are, even upper management. It's this kind of feedback that has the most effect imo.

    This is all in stark contrast to what we had 10 years ago, when I had full access to every technical drawing to every product we had (BILLIONS USD of IP), even prototypes and other protected works. I EVEN HAD PRINT ACCESS. My laptop had full permissions, I could install whatever I wanted and use any external storage I wanted. Personal use of corporate email was allowed for crying out loud. A certain nation-state threat actor got into our systems and had a ball. Weird.
    Reply
  • ezst036
    A spreadsheet?

    That alone should be a tip-off. Never, ever, fill spreadsheets with customer data.

    Coming from Framework this is particularly heartbreaking. I have wanted a build your own laptop for decades upon decades, and if Framework goes down that might close the only road which leads to full 100% modularity similar to how we build desktops.
    Reply