I'm surprised they didn't just use openssl_seal() with a public key, instead of risking the decryption key being forensically recoverable by the victims.<p>Maybe they didn't think it that far through?
Seriously?<p>How the heck does this happen to a real company, supposedly with a disaster recovery plan?<p>Seems like the obvious fix is blow away / reformat the compromised server, reload web application source code (backed up on another box, right?), reload application data (backed up on another box, right?) and away we go....<p>For a financial company???? <sadness>
I was just re-reading about the Drupal super-vulnerability of Oct 2014. This could be some of the fruit. That was an enormous vulnerability that might have compromised 100,000's if not millions of servers