Breached: What happens when a bank’s data is compromised

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bizjournals.com/sacramento/print-edition/2013/08/09/breached-banks-data-compromised.html?page=all

It’s a letter that almost seems designed to fan fears rather than
allay them. The letter warns about “an information security situation
that could potentially affect you.” Someone who shouldn’t have your
“personal information” may have it. In the meantime, here’s a fresh
credit or debit or membership card for you.

Like everywhere else, the Sacramento area has had its share of cyber
attacks and data breaches. Some customers of SAFE Credit Union and
Yolo Federal Credit Union, as well as service and retail companies
such as Sutter Health and Raley’s Inc., received such letters in the
past year.

The warning letters vary in content but are often vague. What’s
usually left unsaid are the details. What kind of data got out? How
did it happen? (Yolo Federal's letter said it involved data "at
multiple merchant locations.") Is your specific account information
OK?

Financial institutions made up a minority of companies reporting data
breaches — as required by law — to state Attorney General Kamala
Harris in 2012. The entire financial sector, which includes insurance
companies, accounted for only 30 of the 131 reported data breaches in
the state. Retailers accounted for 34.

Nonetheless, it always comes back to the financial institution.

“Regardless of where a breach occurs, it’s still a financial
institutional customer who is at the end of the line,” said Doug
Johnson, vice president and senior adviser on risk management policy
for the American Banker’s Association. He said he would prefer that
banks manage the customer notification instead of a third party
providing services to the bank or conducting a transaction through the
bank.

Broad definition

Data breaches can take many forms. Computer hacking is one of the most
talked about. In late July, federal authorities indicted four Russians
and a Ukrainian on charges of stealing and selling more than 160
million payment card numbers from corporate networks from mid-2005 to
mid-2012.

But breaches also can be more mundane. Last year TD Bank, based in
Cherry Hill, N.J., “misplaced” an unencrypted backup tape with
information on more than 260,000 customers. Or the breach could
involve data in a laptop computer that has been lost or stolen.

“One of the scariest stats is that 75 percent of the insider thieves
stole material they were already authorized to access,” said Tony Cox,
compliance manager for consulting firm Banker Technologies in Tustin.

Since 2003, California law has required any organization to notify any
California resident whose unencrypted personal information was
acquired, or reasonably believed to have been acquired, by an
unauthorized person.

“Personal information” means the person’s name in combination with a
Social Security number, driver’s license, or account number and its
access code or password. Loss of encrypted data doesn’t have to be
reported.

The attorney general’s office must be notified when breaches involve
more than 500 people. Few organizations are in a hurry to report them,
however. California law says only that notice must be given “in the
most expedient time possible and without unreasonable delay.”
Sometimes that turns out to be months after the breach. In some cases,
the attorney general pointed out, law enforcement agencies request a
delay to aid their own investigations.

Institutions that have been affected, even indirectly, don’t like to
talk about it. A SAFE Credit Union spokesman said the credit union
won’t discuss security matters. Yolo Federal didn’t respond at all
when contacted for this story.

Those who haven’t had to file such reports are a little more
forthcoming. Bank of Sacramento has been fortunate so far, said Jeff
Lund, the bank’s information security officer. Like many banks, it has
fended off data breaches by layering one security measure over
another: firewalls, user authentication and multiple factors such as
pass phrases and picture identification for logging into an account.

“I think there is probably a bigger problem, not so much in hackers
breaking in and stealing information directly from a financial
institution as it is phishing and getting information from customers,”
he said. The bank also tries to educate its customers on protecting
their information.

Fraud trends seem to start with big banks and work their way down to
smaller institutions, said Johnson of the ABA. That can serve as a
kind of early warning system for small banks, which don’t have the
same resources as a Chase or a Wells Fargo. On the other hand, a small
bank is more likely to be more familiar with its customers and spot an
anomaly without needing a lot of technology, he said.

Shifting landscape

Cox’s firm classifies data as being in one of three states: At rest,
which means it’s sitting on a server and not being processed; in
transit from one place to another; or on a screen being viewed by
someone.

“Once you’ve identified where the data is, you can put protections on
it,” he said.

But technology is constantly changing, and banks have to constantly
adapt, Cox said. For the problem of authorized access mentioned
earlier, banks are responding with systems that monitor files and
record actions no matter who is looking at them.

The introduction of free email services created a big hole for data to
leak through.

“I can’t use the bank’s email system because there is a log. But what
if I log into Yahoo.com and jump on their mail client? Now all the
system knows is that I was on the website, not what I was doing on the
website,” Cox said. So banks now routinely block internal access to
free email sites.

The falling price of USB drives opened up another hole. It hardly
costs anything now to get a thumb drive with a gigabyte of memory.

“What the industry has done is either block USB drives so they don’t
work, or accept only USB drives that have biometric encryption on it
for it to work,” he said.

Now the cloud is raising concerns with sites like Dropbox, which allow
computer and smartphone files to be accessed remotely. Web filtering
helps, but people also can get to such sites on their smartphones.

“Everybody wants to bring their smartphones and tablets,” Cox said. “A
lot of banks are struggling how to balance this because, on one hand
it’s great. I’ve got employees who are buying their own equipment and
I don’t have to. The downside is how do you control it?”

Then there’s the Google Glass headset. Right now it’s easy to spot,
but in five years it may look like any ordinary pair of glasses, Cox
said. A person may stroll past a computer and record what’s on the
screen for review later.

Changing social norms also have posed a problem.

Cox had a client bank where a new 20-something teller was impressed by
the size of a cash shipment that had just arrived.

“Without even thinking, she whipped out her phone and took a picture
of it and posted it on Facebook,” Cox said. “In her mind, that’s just
what you do. People take pictures of their food. She didn’t understand
what was the big deal.”

Banks, consultants and the attorney general all agree that the biggest
deterrent is data encryption.

“But you would be surprised at the times when it is not being done or
the system is failing,” Cox said. Some systems require manual
activation of encryption rather than making it the default. Sometimes
it’s a question of inadequate training. It takes three elements —
training, technology and policies — to seal up the holes in a system.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.