These Financial IT Security links are part of a weekly series, Ethical Hacker Roundup, featuring recent information security and cyber security related articles that we’ve read over and thought worth sharing.
The high-profile hacker collective Anonymous claimed to celebrate Guy Fawkes Day (November 5th) by hacking a PayPal server and stealing 28,000 customer passwords, which they allegedly posted on Pastebin. They announced the hack on Twitter.
PayPal denies the attack took place. Indeed, it appears that the passwords in question belonged to ZPanel, a free open source hosting site. Anonymous also claims to have hacked Symantec and posted passwords of some of its employees on Pastebin as part of its November 5 protest. Symantec says it is still investigating but can find no evidence that any “customer data” has been compromised.
Data breaches that grab the headlines often involve big banks and other enterprises. A recent survey by the National Cybersecurity Alliance indicates that this gives rise to a misperception among SMBs that hackers don’t bother with smaller companies.
Not only do most SMBs not have a plan for how to report and otherwise respond to data breach losses, but two-thirds of SMBs are not concerned about external or internal cyberthreats. This is in sharp contrast to the fact that SMBs are hacked with regularity: almost 40% of cyberattacks ostensibly target companies with fewer than 500 employees. Indeed, cybercriminals see SMBs as the “low-hanging fruit,” with simplistic cybersecurity that is comparatively easy to penetrate.
For example, a Missouri-based escrow company was hacked using a variant of the Zeus malware, which netted login credentials for the company’s bank account – and more than $440,000 in stolen funds. Authentication credentials, along with payment card data, are stolen far more often from SMBs than from larger companies, according to Verizon.
SMBs in Financial Services and other industries need to move beyond simple security like firewalls to securing their vital data, and the processes that act on it. A Database Security Assessment is the first step in protecting personally identifiable information (PII).
TD Bank reported recently that back in March it apparently lost two unencrypted backup tapes that may have contained the names, Social Security numbers, addresses, birth dates, drivers license numbers, debit card numbers, and/or account numbers of about 267,000 customers on the US east coast. The bank lost the tapes in transit between two locations, but is not classifying the mishap as a data breach.
In an official statement a spokesperson for TD bank explained that the tapes hadn’t been “lost,” but rather “misplaced” – perhaps that’s why they waited more than five months to notify affected customers. (Officially they were waiting to conduct a “through investigation.”) So far the “misplaced” data has apparently not been misused.
The Massachusetts and New Hampshire Attorney General’s Offices are investigating the non-breach and TD Bank’s (non-)response to it. Over 100,000 people in those two states could be impacted. Industry best practice is to contact authorities immediately (or reasonably with about 45 days). If attorneys general rule that TD Bank did not meet breach notification regulations, it could face stiff fines.
This incident highlights the need for financial institutions to 1) manage data loss impact assessment and incident response; and 2) manage third-party/vendor risk associated with outsourced activities like transporting backup tapes.
Financial IT Security
Arguably, beyond the government itself, no industry has a greater impact on the health of our economy than financial services. And nothing has a greater impact on a financial entity than to lose the confidence and trust of its customers. Your Financial IT Security concerns can and should be addressed by an independent and objective Information Assurance firm. Pivot Point Security can help your Financial Organization to know you’re secure and prove you’re compliant. See how we can help.