Identity, Risk Assessments/Management, Training

Credentials exposed for majority of US financial firm employees

An access card is used at Hurlburt Field, Fla., Sept. 12, 2016. (Airman Dennis Spain/Air Force)

Financial service institutions have already come around to the idea that breaches may not possibly happen, but probably will happen. 

However, a report released last Thursday by digital threat intelligence company Constella Intelligence found that as bad as that sounds, the reality may be even worse. Indeed, the report, which examined financial industry-specific data from January 2018 through September 2021 discovered that the majority of employees from the Fortune 500 financial firms have had their corporate credentials exposed, making for a huge potential for impactful breaches.  

"This report should be a wake-up call for every bank, insurance company, stock brokerage, credit card company, and financial institution that they are attractive and viable targets for cyber threat actors," said Constella Intelligence CEO Kailash Ambwani in a statement. "Companies and individuals must take new precautions to protect themselves from threats with high potential to target employees as a vector to inflict reputational and financial harm."

While most major enterprises, including financial service institutions (FSIs), have come around to the idea that serious breaches are not a matter of “if, but when,” this research points up how much access bad actors really have to sensitive financial information. The report, "Financial Services Sector Exposure Report: 2018-2021 Findings and Trends," reviewed records from data breaches found in “open sources, and on the surface, deep, and dark web.” Constella Intelligence's threat intelligence team identified 6,472 breaches or leakages, and more than 3.3 million exposed records where financial employee corporate credentials were involved. 

According to Jonathan Nelson, digital intelligence specialist at Constella Intelligence, and one of the principal authors of the report, “Almost everyone's PII exists online somewhere — whether on open sources, social media, or the surface, deep, or dark web. Companies seeking to safeguard their people, assets, and brand can proactively monitor the digital sphere for exposed credentials that enable threat actors to launch many of the high-profile attacks that we are seeing today.”

Even more disturbing, two-third of these internal financial industry breaches involved personal identifiable information (PII) — all of which included email addresses and 72% included private passwords. Seven out of 10 executives profiled in the report have already had their corporate credentials leaked or compromised in some way. Further, according to the report: “The proliferation and circulation of this sensitive employee data enables threat actors with the necessary resources to execute a wide range of cyberattacks, including ransomware, impersonation, phishing, account takeover, and several others.”

Companies and general corporate cultures have come around to the understanding that breaches will happen, “but what’s important are the types of breaches we’re talking about here,” Nelson said.

“Employees and humans are the weakest points in terms of an organization’s cybersecurity posture and our findings related to the vast number of exposures in circulation are a serious cause for concern,” said Nelson. “These exposed credentials are the keys for threat actors to access companies’ sensitive data and critical systems.”

And nearly all of these executives (98%) say they have been exposed in breaches that include PII, and 2 out of 5 even say their private passwords were found and exploited. So what can FSIs do to mitigate the risk from these threats? Nelson suggested:

  • Secure internal corporate systems through a strong, multi-factor authentication password policy.
  • Enforce a policy for backup storage, ensuring backups are kept separate from critical corporate systems.
  • Implement strong encryption algorithms for corporate databases. Frequently used encryption algorithms, including MD5 and SHA1, have been proven relatively vulnerable.
  • Invest in education and awareness of employees and executives regarding digital threats and cyberattacks including but not limited to phishing, fraud, online scams, malware, ransomware, account takeover, impersonation, and more.
  • Use advanced threat intelligence to proactively monitor the social, surface, deep, and dark web for exposed employee credentials to ensure early identification of potential risks and stay ahead of cybercriminals’ tactics.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.