March 5, 2021
Dear PrecisionLender customer,
As you may have heard, Microsoft has announced it identified multiple vulnerabilities in its Exchange Outlook Web Access/OWA service, which are being exploited by bad actors. According to Microsoft, these attacks have likely been occurring for some time, probably affecting a large number of companies.
We are reaching out to let you know that PrecisionLender, a Q2 company, does not use the Microsoft Exchange Outlook Web Access/OWA service; therefore, we believe there has been little, if any, impact on Q2’s hosting environments. Q2’s use of Microsoft products is limited to cloud-based solutions. We also work with third-party providers Okta and Microsoft Office 365, who go through regular security reviews like all third-party providers. As additional controls, we have security alerts in place for any related events and employ single sign-on (SSO) controls that force multi-factor authentication (MFA) with our SSO provider Okta.
Nevertheless, redundancy is critical to ensure protection from security threats. As a result, based on Microsoft's information and the timing of these announcements, we’re working to make sure absolutely no malicious software compromises our infrastructure. Q2 is conducting thorough due diligence efforts, and our security team is carrying out a comprehensive analysis of any potential effects. In addition, we're following up with critical vendors to determine any impact they may have experienced following these compromise events.
If you’d like to learn more, Microsoft has posted a resource on the breaches.
Thank you for your partnership with Q2. We will communicate updates from our due diligence activities as they become available.