Cyber Safety Review Board’s examination of the Lapsus$ attacks

CSRB 2nd report.

I was honored to be part of the Cyber Safety Review Board’s examination of the Lapsus$ attacks.   The CSRB reviews significant cyber events, bring together leaders from government and industry, and issue practical, actionable recommendations to strengthen resilience across both the private and public sectors.

As part of the Board, I had the opportunity to examine the activities of Lapsus$ and related threat groups. These loosely organized cybercriminals successfully compromised some of the world’s most well-defended companies, using surprisingly low-cost and well-known techniques to exploit weak points in our collective cyber infrastructure.

What We Found

Between 2021 and 2022, Lapsus$ carried out extortion-focused attacks against dozens of companies and government agencies worldwide. Their methods exposed critical systemic weaknesses:

• Low-Cost Techniques with Big Impact – The group used simple tools and social engineering to bypass defenses that organizations believed were strong.
• Multi-Factor Authentication (MFA) Weaknesses – Many implementations relied on SMS and voice-based codes, which proved vulnerable to interception and manipulation.
• SIM-Swapping Risks – Criminal markets for SIM swaps enabled attackers to hijack phone numbers and gain unauthorized access, often with little resistance from telecom providers.
• Exploitation of Third Parties – Business process outsourcers (BPOs) and downstream vendors were frequent weak links that attackers leveraged to reach larger targets.
• Juvenile Cybercrime Dynamics – Several Lapsus$ members were minors, raising challenges for law enforcement, since lighter penalties and limited intervention programs provided little deterrence
• Review Of The Attacks Associate…

.

Recommendations for a More Secure Future

The CSRB issued a set of recommendations designed to address these risks and drive long-term improvements across the ecosystem

Review Of The Attacks Associate…

:

1. Identity and Access Management (IAM) – Transition away from SMS/voice-based MFA and move toward phishing-resistant, passwordless authentication (e.g., FIDO2, hardware-backed solutions). Organizations should also strengthen defenses against social engineering.
2. Telecommunications Resilience – Treat SIM swaps as privileged actions, enforce stronger identity verification, allow consumers to lock accounts, and require carriers to harden systems and APIs. Regulators should strengthen oversight and reporting.
3. Managing Vendor and BPO Risk – Companies should mature vendor risk management, adopt zero trust architectures, and enshrine shared cybersecurity responsibility in contracts with BPOs.
4. Law Enforcement and Juvenile Crime – Expand “whole-of-society” programs for juvenile cybercrime prevention, improve international law enforcement cooperation, and strengthen protections against abuse of emergency disclosure requests (EDRs).

The Lapsus$ review underscored how even the strongest organizations can be compromised when attackers exploit human factors, weak authentication, or poorly secured third parties. These aren’t exotic zero-day attacks—they are low-cost, scalable, and repeatable techniques. The CSRB’s findings remind us that building resilience requires not just advanced defenses, but also cultural change, regulatory alignment, and collaboration across government, industry, and law enforcement.