Incident report in response to the recent Codecov breach
Four years ago we wrote a blog post on why we founded Coalition where we outlined our mission and plan to solve cyber risk. This entailed not just helping organizations prevent cyber incidents, but helping them respond and recover when incidents occurred. We knew that nothing is or will ever be 100% secure, and that no one can defend themselves 100% percent of the time.
Four years later we are one of the largest providers of cyber insurance and security globally with over 50,000 customers. There isn’t a single day that we aren’t helping our customers recover from and remain resilient on their own worst days. April 22, 2021 turned out to be such a day for us.
What happened?
On April 15, 2021 Codecov, a code coverage solution, publicly disclosed a security event during which an unauthorized party was able to make modifications to a Codecov component that Codecov customers download and execute when using the solution.
These modifications allowed the unauthorized party to potentially export information stored in Codecov users’ continuous integration (CI) environments. Codecov disclosed that the unauthorized access began on January 31, 2021, and was identified/remediated on April 1, 2021. Coalition was not notified by Codecov prior to their public disclosure on April 15 as we had already deprecated our usage of Codecov.
On April 22, 2021 we received a notification from GitHub, a third party code hosting platform, that suspicious activity had been detected in our account related to the Codecov event, and indicating that a read-only Coalition user token used by Codecov to access our Github account may have been exposed. This immediately triggered our security incident response process, and with the help of GitHub we identified a set of GitHub repositories that had been cloned by the attacker on April 12, 2021 prior to Codecov’s public disclosure of the breach.
Our subsequent investigation into the impact of this event, with the assistance of outside counsel, found that no personally identifiable information was exposed. Furthermore, we have remediated any additional potential exposure by thoroughly reviewing and rotating any potentially exposed secrets in the affected repositories.
What have we done?
As soon as we became aware of the event our internal security team, at the direction of outside counsel, began working in tandem with our in-house digital forensics and incident response firm, Coalition Incident Response (CIR). We wanted to be certain that we understood the potential exposure to our customers and partners, so we conducted a deep-dive review of our repositories. Following this in depth review, it was determined that there was no access to personally identifiable information, and that there was no indication that any of our repositories were modified by the attacker.
Further, we performed automated scanning to detect secrets in our repositories using an internal service we call “mantis.” We run this same service automatically for all of our policyholders to detect secrets that may inadvertently be exposed in public code repositories. We then rotated all secrets contained in the possibly exposed repos. We also investigated the scope of those credentials and validated, to the best of our ability, that there were no abuses of them prior to their rotation.
Why are we disclosing this?
Not because we have to, but because it is the right thing to do and what we would counsel our own customers to do. Although we have no formal obligation to disclose this incident under applicable data privacy laws, we are doing so because we believe that the security of our products and our customers’ data is of paramount importance. When an incident occurs that might threaten that security we want to be transparent about it, share information that might help others, and collaborate in the ongoing fight against cyber crime.
After all, we know how difficult it is to protect the organizations we serve, as well as how difficult it is to respond and help them recover when security incidents occur. We do it every single day with the same level of enthusiasm and dedication for our policyholders as we do it for ourselves.
Update (May 7, 2021): Coalition's subsidiary, BinaryEdge, was not affected by this incident.