What happened?
On 21st February, suspicious activity was noticed by our internal teams across several Awin accounts on the Awin User Interface, (‘Awin UI’). After conducting a diligent analysis of the unusual user behaviours, we identified a reoccurring pattern, linking these to a coordinated effort to target specific accounts to bypass our ongoing security monitoring.
In total, we identified 70 accounts had been affected.
We informed these accounts that personal information, stored within their user accounts, may have been seen and accessed by the unauthorized third party. This information could potentially have been duplicated and shared further in an unauthorized way. However, to date, we have no proof nor reason to believe this has been the case.
Additionally, a small group of accounts were also subject to the alteration of banking details for the purpose of transferring money to a fraudulent bank account resulting in limited financial damages to the affected individuals.
What actions did we take?
Awin immediately took measures to revoke all relevant passwords where we had reason to believe these may have been subject to unauthorised access, while we investigated further. We also implemented additional checks on payment details for accounts where we identified unauthorised access.
This may have resulted in a temporary loss of access to our services or delays in payments while we carried out additional checks on banking details. We apologise for any inconvenience this may have caused but took these preventive steps to avoid further risks to the individuals and to secure those accounts with the means available to us at the time.
Upon confirmation that the access was unauthorised, Awin sent communications to the affected individuals to ensure our customers were alerted as soon as possible. *
If you have not been contacted by us, you have not been affected by this incident.
We have additionally reached out to the responsible law enforcement agencies, as well as relevant authorities and third parties to investigate this matter to the best of our abilities, and to avoid any reoccurrence of this incident.
There is no indication of unauthorised access to Awin internal resources, accounts, or a breach of Awins’s internal security protocols.
We have moved swiftly to add additional assurance processes internally and are actively assessing a further series of improvements to Awin UI security, that will mitigate this and future similar events.
What actions can you take?
Through our investigation, we saw that only accounts where the additional technical safeguard of 2-step verification (2SV) was not activated were affected. We have already contacted all accounts that did not yet have this in place to encourage its use.
Since November 2019, Awin has offered 2SV to verify a user’s identity when they access services via the Awin UI. Though 2SV is not mandatory for all our users, we continuously highlight the availability of this feature via regular pop-up windows when you access the Awin UI via https://ui.awin.com/.
In light of this incident, we strongly urge Awin account owners to activate 2SV for the protection of your account and information, as this would have most likely prevented the unauthorised access. This can be done via the security settings available via the Awin UI. We also urge Awin account owners to review who has access to your account, and what permissions they have on a regular basis.
Account Permissions - Wiki (awin.com)
Additionally, we strongly advise you to:
- Enable 2SV on your Awin UI account
- NEVER share your passwords
- Setup dedicated user accounts for individuals to access your programme
- Ensure antivirus and antimalware tools are up to date on your device
*in accordance with GDPR
