Finance Company Inc. (PFC) disclosed it would notify customers whose information may have been involved in a breach earlier this year. Pictured: A woman is silhouetted against a projection of a password log-in dialog box. (Photo by Leon Neal/Getty Images)

Financial institutions have long become accustomed to the fact that it can often take a long time to not only remove but even to discover the most damaging malware in their systems — and even longer to determine the overall impact on their networks and their customers' data.

Case in point: On July 1, Professional Finance Company Inc. (PFC), an accounts receivable management company that supports various organizations, disclosed it would notify customers whose information may have been involved in a breach earlier this year. In late February, PFC had first discovered and rooted out ransomware that had entered and disabled some of the financial company’s computer systems. According to research released by Blumira and IBM in late May, the average breach goes on for 287 days, takes 212 days to be detected and 75 days to contain.

“It’s unfortunate that there was a significant lapse in time between incident detection in late February and initial reporting to only their healthcare provider customers in early May and only now notifying potentially involved individuals directly,” said Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel.

“Even in the best-case scenario, performing a thorough review of a cybersecurity breach to understand everything that was effective can take days or even weeks,” Clements added.

At the time of the malware’s discovery earlier this year, the Greeley, Colorado-based financial firm hired outside cyber-forensic specialists and began to investigate the extent of the breach, which may have been ongoing for weeks or months. In its accounts receivable vendor role, PFC works with many healthcare providers, which were notified of the cyberattack in early May.

“Cybercriminals use social engineering or attack vulnerable systems to gain access to an organization, and while some organizations can detect and stop the attack within a short amount of time, what is uncertain is how many people are impacted by this attack,” James McQuiggan, security awareness advocate at KnowBe4, pointed out.

“One of the more disparaging difficulties with data breaches is the revelation of how long the cybercriminals were inside the organization's network, going undetected,” McQuiggan added. “Part of the cybercriminal's repertoire is silently working through an endpoint to the critical systems by using exploits and stolen credentials.”

The financial services provider said that the incursion had only affected its own data, and PFC claimed that it “found no evidence that personal information has been specifically misused,” according to a public release issued on Friday.

However, the PFC release also pointed out that it is “possible that the following information could have been accessed by an unauthorized third party: first and last name, address, accounts receivable balance and information regarding payments made to accounts, and, in some cases, date of birth, Social Security number, and health insurance and medical treatment information.”

PFC recently mailed letters to the individuals whose data may have been compromised, with information about the breach and offering free credit monitoring and identity theft protection.

Clements said that “far too many organizations quickly find themselves closer to the worst-case scenarios only to realize after a breach has occurred that they lack the tools, processes, or manpower to quickly identify the cause and extent of potential damage.” In such situations, investigations can drag on for months before an accurate picture of the event is assembled, he explained. 

“During this time, cybercriminals can exploit the stolen data by reselling it to other malicious actors or use it themselves to construct highly targeted downstream attack campaigns against victims unaware their data has been taken,” Clements added.

While reviewing financial accounts and tracking recent credit changes after being notified of potential data theft is useful, Clements and McQuiggan (like most industry security experts) recommend that financial firms encourage their customers to be proactive in monitoring their accounts and their credit scores, whether or not they suspect that they have been involved directly or indirectly in a breach.

As McQuiggan pointed out: “Cybercriminals’ efforts are to make money. ... Data breaches where they can steal names, Social Security numbers, and email addresses are a good source of revenue. The customers will want to monitor their financial accounts and be alert for unauthorized charges ... [and] be watchful of any new and opened accounts without authorization.”

In addition, Clements counseled organizations to “adopt a culture of cybersecurity that goes beyond ensuring that they have the capabilities to not only quickly restore operations after a cyberattack, but that they have the means to perform speedy investigations. This approach can help minimize the length of time that customers are put at risk due to ignorance of their exposure.”