How SVigil Prevented a Massive Supply Chain Breach in Banking Infrastructure?

In today’s hyper-connected financial ecosystem, a single compromised vendor can jeopardize the security of an entire banking infrastructure. CloudSEK’s SVigil platform uncovered exposed credentials belonging to a key third-party communication provider, putting millions in operational credit, sensitive customer data, and critical cloud infrastructure at risk. This real-time discovery not only thwarted a large-scale breach but also highlighted glaring gaps in cloud access controls, MFA implementation, and vendor security hygiene. Dive into this case study to understand how SVigil turned a potential cyber catastrophe into a story of resilience and rapid response.

Hansika Saxena
March 27, 2025
Green Alert
Last Update posted on
March 27, 2025
Make sure there's no weak link in your supply chain.

2023 was marked by a rise in supply chain attacks. Ensure robust protection across your software supply chain with CloudSEK SVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Financial institutions rely on third-party vendors for communication and customer engagement platforms, but these dependencies can quietly introduce serious cybersecurity risks. CloudSEK’s Supply Chain Monitoring platform, SVigil, uncovered exposed credentials belonging to a key supplier of a major banking entity. These credentials granted access to a centralized communications portal, exposing sensitive customer data, call recordings, and critical cloud infrastructure.

SVigil’s timely discovery enabled proactive risk mitigation, preventing misuse of sensitive cloud configurations and millions in operational credit—safeguarding both infrastructure and customer trust.

The Discovery

During continuous scanning for vendor-related threats, CloudSEK’s SVigil platform detected compromised credentials belonging to employees of a third-party communication service provider. These credentials granted access to the Central Portal, a vital interface used for campaign orchestration, contact center operations, and cloud infrastructure configuration.

The exposed access led to the discovery of a severe data breach affecting prominent banking entities, including access to critical systems and sensitive data of major banking entityBank. The breach risked operational disruption, data theft, and unauthorized communication with customers.

Key Findings

Platform Affected: Central Portal of a Communication Service Provider
Modules Exposed: Flows, Campaigns, Emergency Notifications, Reports, Setup, Cloud Accounts
Critical Exposure:

  • USD 3Million in credit balance.
  • Credentials for 32 cloud service accounts across AWS, GCP, and Azure.
  • GCP service accounts with elevated privileges (Owner/Editor roles).
  • Access to sensitive call recordings and transcripts.
  • Ability to send bulk SMS/email to over 50K users.

Technical Analysis

Source of Credentials: Credential dump on dark web.

Portal Features & Risks:

  • Dashboard Overview: Visualizes metrics on outbound/inbound calls, SMS, emails.
  • Call Queues Module: Routes calls to agents. Malicious access could allow redirection to fraudulent call centers.
  • Dynamic Agents: Add/manage agents. A breach here enables full manipulation of contact center operations.
  • Campaign Flows: Configure communication flows such as IVR and autodialers.
  • Cloud Accounts: Credentials for 32 cloud accounts found. Developer tools exposed sensitive files such as client.json with GCP service keys.
  • Risk of Abuse: Four accounts had Owner-level access and one with Editor-level. Malicious actors could exfiltrate or delete sensitive data and tamper with infrastructure.

Exposed GCP Service Accounts (Examples):

  • supplier-software-verified-sms
  • pcpl-speech-to-text
  • clicktocall
  • central-awspoc
  • Testing-agent-1-mrdmlr

Samples from pcpl-speech-to-text Storage Bucket:

  • Sensitive call recordings (e.g., loan discussions, debit card block requests).

  • Associated transcripts stored in plain text.

Business Impact

  • Exposed Employee Credentials: Threat actors leveraged leaked credentials to gain unauthorized access to internal systems and dashboards.
  • Unsecured Cloud Storage Access: Sensitive assets such as call recordings and transcripts were left exposed in cloud buckets without proper access controls.
  • Privileged Service Account Misuse: High-privilege GCP service accounts were accessible, increasing the likelihood of data exfiltration and infrastructure compromise.
  • EDR Failure Enables Unauthorized Access: Endpoint Detection and Response (EDR) solutions failed to detect abnormal access patterns, allowing persistent threat actor activity.
  • Lack of MFA Increases Credential Attack Risks: Absence of multi-factor authentication (MFA) on the supplier portal elevated the risk of successful credential-based attacks.

SVigil’s Security Recommendations

  • Immediate Credential Revocation: All exposed employee credentials must be immediately revoked to prevent unauthorized access.
  • Strengthen Cloud Security Configurations: Secure cloud resources by applying strong access control policies, removing hardcoded credentials, and encrypting sensitive files.
  • Tighten Cloud Access Controls: Review and restrict cloud IAM roles; minimize use of high-privilege roles such as Owner or Editor.
  • Deploy EDR to Prevent Unauthorized Persistence: Ensure a robust EDR system is in place to detect, block, and alert on suspicious user behavior and anomalous access.
  • Mandatory 2FA Across All Sensitive Portals: Enforce multi-factor authentication for all users accessing sensitive infrastructure and dashboards to reduce the likelihood of credential abuse.

Author

Hansika Saxena

Hansika joined CloudSEK's Editorial team as a Technical Writer and is a B.Sc (Hons) student at the University of Delhi. She was previously associated with Youth India Foundation for a year.

Predict Cyber threats against your organization

Related Posts

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

Blog Image
November 24, 2023

Understanding Vendor-Related or Third-Party Cyber Risk

Uncover the complexities of third-party cyber risks and learn how to fortify your organization's digital defenses against these evolving threats.

Blog Image
June 7, 2023

How CloudSEK is defending ourselves against a massive DDoS attack

In the vast realm of cybersecurity, organizations often find themselves at the forefront of relentless attacks which test their defenses and resilience. CloudSEK has recently found itself plunged into the depths of a massive Distributed Denial of Service (DDoS) attack

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK Success Stories

3

min read

How SVigil Prevented a Massive Supply Chain Breach in Banking Infrastructure?

In today’s hyper-connected financial ecosystem, a single compromised vendor can jeopardize the security of an entire banking infrastructure. CloudSEK’s SVigil platform uncovered exposed credentials belonging to a key third-party communication provider, putting millions in operational credit, sensitive customer data, and critical cloud infrastructure at risk. This real-time discovery not only thwarted a large-scale breach but also highlighted glaring gaps in cloud access controls, MFA implementation, and vendor security hygiene. Dive into this case study to understand how SVigil turned a potential cyber catastrophe into a story of resilience and rapid response.

Authors
Hansika Saxena
Hansika joined CloudSEK's Editorial team as a Technical Writer and is a B.Sc (Hons) student at the University of Delhi. She was previously associated with Youth India Foundation for a year.
Co-Authors
No items found.

Financial institutions rely on third-party vendors for communication and customer engagement platforms, but these dependencies can quietly introduce serious cybersecurity risks. CloudSEK’s Supply Chain Monitoring platform, SVigil, uncovered exposed credentials belonging to a key supplier of a major banking entity. These credentials granted access to a centralized communications portal, exposing sensitive customer data, call recordings, and critical cloud infrastructure.

SVigil’s timely discovery enabled proactive risk mitigation, preventing misuse of sensitive cloud configurations and millions in operational credit—safeguarding both infrastructure and customer trust.

The Discovery

During continuous scanning for vendor-related threats, CloudSEK’s SVigil platform detected compromised credentials belonging to employees of a third-party communication service provider. These credentials granted access to the Central Portal, a vital interface used for campaign orchestration, contact center operations, and cloud infrastructure configuration.

The exposed access led to the discovery of a severe data breach affecting prominent banking entities, including access to critical systems and sensitive data of major banking entityBank. The breach risked operational disruption, data theft, and unauthorized communication with customers.

Key Findings

Platform Affected: Central Portal of a Communication Service Provider
Modules Exposed: Flows, Campaigns, Emergency Notifications, Reports, Setup, Cloud Accounts
Critical Exposure:

  • USD 3Million in credit balance.
  • Credentials for 32 cloud service accounts across AWS, GCP, and Azure.
  • GCP service accounts with elevated privileges (Owner/Editor roles).
  • Access to sensitive call recordings and transcripts.
  • Ability to send bulk SMS/email to over 50K users.

Technical Analysis

Source of Credentials: Credential dump on dark web.

Portal Features & Risks:

  • Dashboard Overview: Visualizes metrics on outbound/inbound calls, SMS, emails.
  • Call Queues Module: Routes calls to agents. Malicious access could allow redirection to fraudulent call centers.
  • Dynamic Agents: Add/manage agents. A breach here enables full manipulation of contact center operations.
  • Campaign Flows: Configure communication flows such as IVR and autodialers.
  • Cloud Accounts: Credentials for 32 cloud accounts found. Developer tools exposed sensitive files such as client.json with GCP service keys.
  • Risk of Abuse: Four accounts had Owner-level access and one with Editor-level. Malicious actors could exfiltrate or delete sensitive data and tamper with infrastructure.

Exposed GCP Service Accounts (Examples):

  • supplier-software-verified-sms
  • pcpl-speech-to-text
  • clicktocall
  • central-awspoc
  • Testing-agent-1-mrdmlr

Samples from pcpl-speech-to-text Storage Bucket:

  • Sensitive call recordings (e.g., loan discussions, debit card block requests).

  • Associated transcripts stored in plain text.

Business Impact

  • Exposed Employee Credentials: Threat actors leveraged leaked credentials to gain unauthorized access to internal systems and dashboards.
  • Unsecured Cloud Storage Access: Sensitive assets such as call recordings and transcripts were left exposed in cloud buckets without proper access controls.
  • Privileged Service Account Misuse: High-privilege GCP service accounts were accessible, increasing the likelihood of data exfiltration and infrastructure compromise.
  • EDR Failure Enables Unauthorized Access: Endpoint Detection and Response (EDR) solutions failed to detect abnormal access patterns, allowing persistent threat actor activity.
  • Lack of MFA Increases Credential Attack Risks: Absence of multi-factor authentication (MFA) on the supplier portal elevated the risk of successful credential-based attacks.

SVigil’s Security Recommendations

  • Immediate Credential Revocation: All exposed employee credentials must be immediately revoked to prevent unauthorized access.
  • Strengthen Cloud Security Configurations: Secure cloud resources by applying strong access control policies, removing hardcoded credentials, and encrypting sensitive files.
  • Tighten Cloud Access Controls: Review and restrict cloud IAM roles; minimize use of high-privilege roles such as Owner or Editor.
  • Deploy EDR to Prevent Unauthorized Persistence: Ensure a robust EDR system is in place to detect, block, and alert on suspicious user behavior and anomalous access.
  • Mandatory 2FA Across All Sensitive Portals: Enforce multi-factor authentication for all users accessing sensitive infrastructure and dashboards to reduce the likelihood of credential abuse.