Compromised email address incident at third-party firm Customer.io

I write to you, following a full investigation, to advise of a data breach at a third-party firm used by Uphold for some of its customer communications. 

First, I’d like to reassure you that Uphold was not hacked and no customer funds were stolen. Your accounts remained safe throughout the incident and our security measures worked as planned. 

This notice will explain what happened, how we handled the situation, and how we can work together to protect you from potential incidents in the future.

What happened

In July 2022 a third-party firm we use for sending emails, Customer.io, had a security incident where email addresses from several of their clients, including Uphold, were provided to a bad actor by a senior engineer with administrator access at Customer.io.

More information about this incident is available here. 

We sincerely regret the incident and have been busy conducting a review of Customer.io security controls and working with law enforcement to investigate the incident. 

How we handled the incident The Uphold team took swift action to limit the risk caused by the incident and immediately:

• Contacted the security team at Customer.io to investigate the incident to determine the level of risk to our customers. 
• Worked with Customer.io to implement additional preventative controls to restrict access to our customer information without prior authorization from Uphold.
• Contacted the Data Privacy authority Information Commissioner's Office (ICO) in the UK for transparency and to seek advice.

How you can help While your full login credentials are secure, we believe there is a risk that your first name, last name and email address have been disclosed during the incident. This does not compromise your account but may mean that you are likely to receive further phishing attempts. We urge you to be vigilant. Remember that Uphold will never:

• Invite you to send funds to a Bitcoin, or other blockchain networks, address.
• Call you, without an active support request having been raised.
• Ask you to disclose your username and password.
• Request control of your computer using remote software.

When you log in to Uphold, always check the URL very precisely reads: https://www.uphold.com, or https://wallet.uphold.com. If you don’t see this, it’s not us. Bookmark our address and don’t use search engines to find us because there’s always a risk they will take you to a phishing site. 

To help protect you from phishing attacks we’ve created a security awareness blog, which you can read here.

The nature of ‘phishing’ means that the threat is constantly changing shape. No matter how robust our security measures are, they will never provide you with complete protection unless you remain alert and vigilant to suspicious activity.

Like other institutions, we need your help to combat the menace of phishing, and I have no doubt that by working together, we can do so.

Kind regards,

Chris Ampofo
Chief Information Security Officer

Uphold