A third-party website misconfiguration resulted in the exposure of sensitive data by credit card issuer TCM Bank leaked applicant data for 16 months.
TCM Bank aids community backs in issuing credit cards to their customers and Bruce Radke, an attorney working with TCM on its breach outreach effort told KrebsOnSecurity the firm was contractually prohibited from disclosing the vendor responsible for the breach.
Between early March 2017 and mid-July 2018, the names, addresses, dates of birth and Social Security numbers of fewer than 10,000 people who applied for cards at the financial institute were exposed by the third-party firm. The company said that it learned of the issue on July 16, 2018 and had patched the issue the following day.
“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said. “We've since confirmed the issue has been corrected, and we're requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”
Jessica Marie, cybersecurity evangelist at WhiteHat Security said vulnerabilities and misconfigurations in websites are incredibly common, even among highly-regulated financial services companies and that unfortunately many businesses across all industries, are still unaware of online business risks, or have delayed taking appropriate action.
“As a network of community banks, TCM Bank handles documents filled with personally identifiable information (PII), including credit card applications,” Marie said. “Unfortunately in this instance, misconfiguration, which is one of the most critical application security risks, caused a significant leak of customer information.”
In addition, Marie said organizations that rely on digital platforms should also empower developers to code using security best practices throughout the entire software development life cycle (SDLC), with proper training and security certifications.
She went on to say that companies that touch consumer data needs to make security a consistent, top-of-mind concern, with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites, and databases.
Fred Kneip, CEO, CyberGRX said trust is one of the most important elopements between a bank and its customers and that any sort of breach has the potential to damage that trust.
“When an enterprise engages with a third party such as TCM Bank, they become responsible for that third party's security controls,” Kneip said “If there are easy-to-exploit vulnerabilities in their network, that becomes a part of your security posture.”
Kneip added that companies need to constantly monitor and mitigate these risks associated with third party vendors as they arise as they are also vulnerable to new exploits or configuration changes.
Matan Or-El, CEO & Co-founder of Panorays noted that the issue is that organizations typically lack visibility and control over their third parties despite the availability solutions that offer the necessary visibility.
“During the vetting process, companies can scan and monitor the third party to receive an ongoing view of the third party's security posture,” Or-El said. “More advanced solutions even provide easy collaboration and engagement tools between the organization and the third party to ensure that the third party raises their security posture.”
He went on to emphasize that organizations cannot relieve themselves from the responsibility of security when partnering with third parties.