Banks have the privilege of collecting our data and storing this for their uses. As the banks store this data and information, the banks are acting as stewards of this data. Being a steward and responsible, there are certain aspects of InfoSec which a reasonably prudent bank would deploy to protect the bank, its assets, and customer’s data.
Apparently, there was an issue with two banks which allowed an oversight to occur (https://www.ehackingnews.com/2018/05/two-financial-institutions.html, http://www.palada.net/index.php/2018/05/29/news-6184/, & http://www.cbc.ca/news/business/simplii-data-hack-1.4680575). In May 2018, the Bank of Montreal and Simplii Financial, owned by CIBC announced their alleged breach. Simplii Financial is CIBC’s direct banking brand. The affected clients number at approximately 90k people. These may have been accessed by the attacker or the people the data was sold to, as evidenced by the Bank of Montreal receiving a tip stating a limited number of people’s accounts had been accessed by unauthorized parties.
After the breach was noted and analysis began, Simplii began to implement additional measures to improve their online cybersecurity. This included, but was not limited to, fraud monitoring and actions to monitor online banking to a greater measure.
To make things worse, the attackers threatened to release the data from the compromise and exfiltration. The attackers would not release this if they were to happen to pay them $1M on or before May 28th. The Bank of Montreal did not pay the attacker’s ransom but are however focusing their efforts on their clients.
In this day and age, banks and other entities and institutions have to be more proactive in implementing a defense in depth to ensure, as much as possible, the security for the client’s data. At times, budgets, internal politics, and other timing issues slow these implementations. These, however, should be pushed more to the front of development and implementation. The alternative is to be breached, have the opportunity to publish the breach and claim only highly trained “hackers” could have done this, etc., and pay fees.
No comments:
Post a Comment