Threatwatch

Employee iPhones at UK insurance giant suffer heartbleed failure

Network intrusion; Unauthorized use of system administrator privileges

A mobile device management system at Aviva was plundered, purportedly by hackers who exploited the Heartbleed vulnerability, although the system provider denies the bug played a role. 

The company apparently is discussing moving to a new platform in the wake of the incident. Aviva was using service provider MobileIron to manage more than 1,000 BYOD devices like iPhones and iPads. The attacker compromised the MobileIron admin server and posted a text message to employee handhelds and email accounts.

The message read: 

"it maks my hart bled to say good by lik this, love u mobile iron"

The hacker then fully erased every device and downed the MobileIron server itself. 

Aviva downplayed the impact of the breach, and reassured clients that customer data was not exposed.

"The issue was specific to iPhones and none of Aviva's business data was accessed or lost. Someone gained access to a third party supplier, which also enabled them to reset mobile devices for some Aviva users. There were no financial losses or repercussions. It was an overnight issue and by the start of the next day we had begun to restore devices," the company said in a statement. 

Aviva reportedly has moved affected staff onto a Blackberry 10 service to manage all the Apple devices, and is in talks with MobileIron reseller Esselar to cancel its contract. The incident was first reported by Postonline.co.uk.

Mobileiron described the situation as an isolated problem that didn't affect other mobile management system customers.

"Our investigation concluded that this incident neither resulted from nor exploited any compromise or vulnerability in MobileIron systems or software. All indications are that this was an isolated incident that does not represent a threat to other MobileIron customers," the company said in a statement. 

MobileIron later added the following: "It is important to note that foundational components of the MobileIron Infrastructure are not vulnerable to the attack including our VSP (management console), Sentry (Secure Mobile Gateway), ConnectedCloud, Anyware, and the MobileIron client. None of these product components are vulnerable. We also conducted a recent webinar reviewing this for our customers."

sector

Financial Services; Technology; Web Services

reported

June 23, 2014

reported by

The Register

number affected

Unknown

location of breach

Unknown

perpetrators

Unknown

location of perpetrators

Unknown

date breach occurred

2014-5-20

date breach detected

Within 24 hours