A new breach at the largest bond insurer in the United States, MBIA, highlighted the consequences of security lax within the financial services sector. The insurer exposed sensitive information of clients through a web application that allowed indexing of back-end data by search engines, accompanied by administrative credentials that would enable hackers to access any other database information not readily available by search.
The data exposure wasn’t caught through attacks such as brute forcing of passwords or phishing, unlike many of the high-profile attacks on financial firms. The breach was discovered by independent researcher Brian Seely and announced by Brian Krebs of KrebsOnSecuirty; the data exposure was caught courtesy of misconfiguration on an MBIAweb.com Web server.
Security pundits call it a black eye for MBIA, putting routing numbers, bank account numbers and other critical customer information at risk of hack and also a reminder to all organisations that why advanced threat intelligence along with frequent checks and balances are growing in importance.
An MBIA spokesman, according to the Washington Post, stated that the company had reached out to existing clients about the data breach and was also contacting past clients:
“We have been notified that certain information related to clients of MBIA’s asset management subsidiary, Cutwater Asset Management, may have been illegally accessed,” the spokesman told the newspaper. “We are conducting a thorough investigation and will take all measures necessary to protect our customers’ data, secure our systems, and preserve evidence for law enforcement.”
The company stated it would shut down the affected server at the moment and was advancing with a ‘thorough investigation’.
News of the breach came as MBIA announced its plan to divest the Cutwater subsidiary to the Bank of New York Mellon, according to securities filing of MBIA. The bond insurer stated the sale is expected to close at early stages in 2015. Cutwater has $23 billion in asset management, and its clients include pension funds, financial institutions and local governments.
Krebs says all organisations using Oracle Report Services should see the company’s guidance on securing these systems to ensure they don’t suffer similar faith.
Eric Chiu, president and co-founder HyTrust, told eSecurity Planet by email that breaches like these can have a huge impact regardless of being malicious or accidental:
“Additionally, misconfiguration is one of the major causes of breaches and downtime — the fact that thousands of customer records and administrative credentials were accessed is a reminder of the severe damage that misconfiguration can cause,” he stated.
“The same policy-based controls and role-based monitoring to prevent insider threats are critical to prevent misconfiguration and alert companies to potential issues,” added Chiu. “With cyber criminals on the hunt for valuable data, companies need to be vigilant when it comes to protecting customer information.”
MBIA breach becomes another example of conventional security implementations, antivirus programs and firewall shields taking a dip. Misconfigured servers also continue to be a major source of data breaches; San Diego State University suffered a breach due to a misconfigured server exposing names, birth dates, addresses and Social Security numbers of 1,050 people.
This incident strongly suggests that even after the initial configuration is installed and developed, bond insurers need advanced threat intelligence services to detect and combat new vulnerabilities before they reach company servers.
If not, attackers will continue to find new opportunities to exploit both client software and network-accessible services. Detecting and addressing threats early through advanced monitoring would also ensure that a data breach does not turn into a disaster.