Third-party breaches and MFA failures expose systemic risk

Last week, the financial technology landscape was shaken by a cascade of third-party data breaches and a major regulatory fine that laid bare the catastrophic consequences of fundamental security failures. The period of August 18th to 24th was dominated by the fallout from a sophisticated social engineering campaign targeting CRM platforms, while a US regulator sent a clear and expensive message about the non-negotiable requirement for multi-factor authentication.

The week’s events serve as a stark reminder that an organization’s attack surface extends far beyond its own walls, deeply into its supply chain and trusted software vendors. Furthermore, as nation-state actors continue to exploit old, unpatched vulnerabilities in critical infrastructure, the need for relentless vigilance and proactive security has never been greater. For CISOs, the focus must be on interrogating the security of their partners as rigorously as their own.

Here is our debrief of the key events you need to know.

1. Workday Confirms Data Breach in Widening Salesforce Attack Campaign

Following a series of high-profile breaches, HR and finance software giant Workday confirmed on August 18th that it too had fallen victim to the sophisticated social engineering campaign targeting Salesforce CRM systems. The attack, attributed to the notorious hacking collective “ShinyHunters,” did not compromise Workday’s core HR and financial platforms but did expose business contact information stored in its third-party CRM environment.

This incident is part of a much larger, coordinated attack wave that has already impacted major global brands like Google, Allianz Life, and Qantas. The attackers’ methodology is consistent and alarmingly effective: they use voice phishing (“vishing”) to impersonate IT or help desk staff. They then contact employees via phone or text, tricking them into authorizing a malicious OAuth application disguised as a legitimate tool like Salesforce’s “Data Loader.” This grants the attackers persistent access tokens, allowing them to exfiltrate large volumes of data from the company’s CRM. The Workday breach underscores the immense systemic risk within the SaaS ecosystem. Attackers are targeting the trusted, interconnected platforms that underpin modern business operations, turning a company’s own tools against them.

Bob’s Analytical Point: “The ShinyHunters campaign is a watershed moment for supply chain security because it’s targeting the connective tissue of the enterprise world—the CRMs that hold every valuable business relationship. This isn’t about a single vulnerability; it’s about exploiting the ‘trust architecture’ of cloud services. The attackers aren’t breaking down the door; they’re tricking employees into handing over the keys via OAuth. For every fintech, the immediate question is: How are we monitoring and controlling third-party app integrations into our core platforms like Salesforce and Office 365? If you can’t see which apps have access to your data and what they’re doing with it, you’re flying blind.”

2. NYDFS Fines Healthplex $2M for Critical MFA and Data Retention Failures

In a major enforcement action, the New York Department of Financial Services (NYDFS) announced on August 21st that it had fined insurance provider Healthplex, Inc. $2 million for multiple violations of its landmark cybersecurity regulation. The fine stemmed from a 2021 phishing attack that exposed the personal data of tens of thousands of New York residents, but the regulator’s findings revealed deep, systemic security failures.

The investigation found that Healthplex had failed to implement multi-factor authentication (MFA) on its email system after migrating to a new platform, leaving a critical door open for the attacker. Furthermore, the compromised employee email account contained over 100,000 emails dating back 20 years, a direct result of the company’s failure to have a data retention policy. This massive over-retention of data dramatically increased the scope and impact of the breach. The NYDFS also cited the company for failing to report the incident within the required 72-hour window and for falsely certifying its compliance with the regulations for several years.

Bob’s Problem-Solving Insight: “The NYDFS just made an example out of Healthplex, and every CISO in the financial sector should be paying close attention. This wasn’t just a fine for getting breached; it was a fine for failing at the absolute basics. Two things stand out. First, MFA is not optional—it’s the baseline. The regulator explicitly called it the ‘first line of defense.’ If you have any remote access to internal systems without MFA, you are in direct violation and the penalties will be severe. Second, data is a liability. Hoarding data without a business justification is a regulatory time bomb. This fine proves that regulators now see a direct link between poor data governance and cybersecurity risk. A robust, automated data retention policy isn’t just good hygiene; it’s a critical control for minimizing the blast radius of an attack.”

3. FBI Warns of Russian Hackers Exploiting 7-Year-Old Cisco Flaw

The FBI issued a stark warning on August 21st, revealing that nation-state hackers associated with Russia are actively exploiting a seven-year-old vulnerability in Cisco’s Smart Install client. The flaw, which affects a now-deprecated network management protocol, can allow an attacker to take full control of vulnerable switches and routers, critical components of a company’s network infrastructure.

The advisory was a frustrating reminder that even old, well-documented vulnerabilities can pose a persistent threat if not properly patched. The fact that sophisticated state-sponsored actors are still finding success with a 2018 vulnerability indicates that many organizations continue to struggle with basic patch management and asset inventory. For financial institutions, which are considered critical infrastructure, the presence of such outdated and vulnerable equipment on their network is an unacceptable risk that could be exploited to disrupt operations or gain a foothold for a more significant attack.

Bob’s Take: “This is both embarrassing and deeply concerning. A seven-year-old flaw is an eternity in cybersecurity. For a threat actor to get mileage out of this today means there are fundamental breakdowns in security programs. It points to a lack of asset visibility—you can’t patch what you don’t know you have—and a failure to prioritize the decommissioning of legacy technology. This should trigger an immediate, urgent review at every financial firm: Do we have a complete and accurate inventory of all network hardware? Have we disabled legacy protocols like Smart Install? And do we have a plan to get unsupported hardware off our network for good? Nation-states love to prey on the basics because they know that’s where organizations are weakest.”

4. New “Salty 2FA” Phishing Kit Bypasses Multiple MFA Methods

Adding to the week’s security challenges, researchers on August 22nd detailed a new and evasive phishing framework known as “Salty 2FA.” This toolkit is specifically designed to defeat multiple forms of multi-factor authentication, including SMS, voice calls, and companion app-based push notifications. The framework is sold as a service to other criminals, lowering the barrier to entry for conducting sophisticated credential theft attacks. Salty 2FA works by acting as a man-in-the-middle, creating a convincing fake login page that proxies the user’s credentials to the real service in real-time. When the legitimate service sends an MFA prompt, the phishing kit intercepts it and presents it to the victim, capturing the one-time code or tricking them into approving the push notification. This allows the attacker to steal the session token and gain full access to the account, rendering many common MFA implementations useless.