Copper.co provides digital asset custody technology, including to the likes of State Street. Today it acknowledged a security ‘incident’ over the Christmas period, which it said was not a breach.
The startup was responding to a Coindesk report that alleged that Copper’s private Github repository had been accessed and its source code was copied.
Several other companies reported similar private Github incidents around the same time. In these other cases, it appears this was not a Github weakness, but staff Github accounts had been compromised. The companies include Slack and (more seriously) Okta, the identity company that provides single sign-on services, including to the U.S. Department of Defense.
A Copper spokesperson declined to confirm whether the Github repository was cloned, but Github is likely the ‘vendor’ that Copper refers to in its statement.
According to the statement:
- Copper’s environment and infrastructure were not compromised.
- No clients were compromised.
- No business interruption occurred.
- No data is known to have been lost.
- No vulnerability was detected inside Copper’s framework.
- Copper was advised about the detection of vulnerability alongside a number of other users of an external environment; this was not specific to Copper.
- The incident was not required disclosure in accordance with applicable law or regulations.
The wording of one of those points is somewhat careful: ‘no data is known to have been lost’. It didn’t say it wasn’t lost.
Most advanced digital asset custody firms use multiparty computation (MPC), which fragments private keys used to access digital assets into pieces. Hence if the source code was accessed, this methodology might be known to the hackers.
Does it matter?
Without knowing more details, it’s tricky to judge the seriousness of the incident. It’s likely to be a non-issue, but there are two points worth exploring.
Assuming the source code was accessed, it would be far more dangerous if Copper was unaware. Given that it knows there was an attempt, it can make code changes that should nullify the risk.
The second point is how the GitHub repository was accessed. In Slack’s case, it appears that hackers used stolen employee credentials. Given Copper is essentially a security company, if any staff credentials were compromised, that would be a pretty serious issue.
Meanwhile, Copper just announced that Philip Hammond, the former UK Chancellor has become Chairman of the Board.