Cryptocurrency exchange, QuadrigaCX, has suffered a security incident after it lost control of its customers assets. $137 million worth of assets are inaccessible as the only person with access to the offline wallet sadly passed away at the age of 30. Assets include Bitcoin cash, Bitcoin gold, Ethereum and Bitcoin SV. Over 100,000 customers are affected.
Strong security measures in place hinder the process of retrieving customers’ assets
QuadrigaCX stored assets offline as a security measure to prevent unauthorised access by hackers. Further security measures in place included encrypting laptops. Again this made it harder for hackers to access bitcoins. With encrypted devices, there is always a recovery key. However, the company was not able to locate this either. An encrypted USB belonging to the director soon diminished hopes of finding any information to help. The founder encrypted emails and set short retention rules on other messaging software. QuadrigaCX called in a cybersecurity professional to attempt to decrypt all devices but was unsuccessful in retrieving anything.
All these security measures succeeded in its objective but also hindered the access and use of the assets. In this rare instance, it defeated its purpose. It made it hard for anyone to get in, including staff of Quadriga CX. To add, there was no back up plan or access to the assets in the event of an incident such as this.
The gap in the security measure implemented
Organisations should indeed restrict the number of people who hold passwords to highly sensitive company data. QuadrigaCX did the right thing by keeping critical data offline and encrypting all devices containing data. These all preserve its confidentiality. However, preserving the availability should not be neglected, as was the case here. Lesson learned here is that organisations should prepare for all sorts of eventualities with critical assets forming part of the business continuity plan. Risk always has a level of uncertainty and all events should be considered and risks assessed.
QuadrigaCX filed a creditor protection motion with the courts. The matter is still ongoing.