Breach taxonomy
Summary
On February 14, 2025, NioCorp Developments became aware of unauthorized third-party access to its information systems, including portions of its email systems. The attack resulted in misdirected vendor payments totaling approximately $0.5 million. The company self-discovered the incident, notified financial institutions and federal law enforcement, and began investigation and remediation steps. Filed under Item 8.01; materiality not yet determined as of filing date.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident to a specific actor type → UNKNOWN.
MethodsAccount Takeover
Filing describes unauthorized third-party access to email systems that led to misdirected vendor payments, consistent with business email compromise and account takeover.
AssetsCash EquivalentConfidential Biz
Filing states the attack resulted in misdirected vendor payments of approximately $0.5 million, indicating cash/payment systems were compromised; email systems were also accessed.
EffectsFinancial Fraud
The direct consequence was misdirected vendor payments totaling approximately $0.5 million, constituting financial fraud.
Impact
Estimated financial loss of approximately $0.5 million from misdirected vendor payments; no operational disruption disclosed → score 1.
InsuranceNot disclosed
Filing makes no mention of insurance → null.
Read the original SEC filing excerpt
Item 8.01 Other Events. On February 14, 2025, NioCorp Developments Ltd. (the "Company") became aware of unauthorized third-party access to its information systems, including portions of its email systems, that resulted in misdirected vendor payments totaling approximately $0.5 million (the "cybersecurity incident"). The Company self-discovered the cybersecurity incident and promptly notified certain financial institutions and federal law enforcement in an effort to, among other matters, recover the misdirected vendor payments. In addition, upon discovery of the cybersecurity incident, the Company began taking steps to investigate, contain, assess and remediate the cybersecurity incident. Although the Company believes that the cybersecurity incident is limited to the misdirected vendor payments, the Company's investigation of the cybersecurity incident remains ongoing and the full scope, nature and impact of the cybersecurity incident are not yet known. As of the date of this filing, the Company has not yet determined whether the cybersecurity incident is reasonably likely to materially impact the Company's overall financial condition or its results of operations, including whether the Company will ultimately be able to recover all or a portion of the misdirected vendor payments.