If there’s one industry where security is an absolute priority, it’s the financial sector. Even back in the pre-digital days, banks had to take security extremely seriously. They’ve always been tempting targets for criminals trying to steal the piles of cash housed in their branches. A successful robbery could net thieves hundreds of thousand of dollars, millions even.
The attraction of taking money from banks hasn’t disappeared with the move to computers and digital banking. If anything, they have become even more appealing targets because the rewards are potentially even higher – especially when money can be transferred in the blink of an eye.
As a consequence, their security and compliance requirements have always been very stringent.
In many ways, banks have provided a security template for modern businesses that are shifting to a model that allows the flow of data outside the corporate network to employees working remotely, to the cloud and to customers.
Banks and financial service organisations have typically had a large number of dispersed workplaces and remote workers. Think of all those local branches dotted across the towns and villages of every country. They’ve also handled and transported large volumes of confidential and sensitive data online to and from businesses and to customers.
Branch security – physical and digital – is of paramount importance to banks, credit unions and other financial services companies. Connectivity between the workplace and the corporate network needs to be secure.
Nevertheless, there are still a few lessons that can be learned about data security from a number of failures in the financial sector:
Automatic updates and patches are important
A data breach at Equifax, one of the largest credit reporting agencies in the US, exposed sensitive information on 143 million consumers. The data included names, social security numbers, birth dates, addresses and even driver’s licence numbers. The hackers also stole more than 200,000 credit card numbers.
The cause of the breach was a failure by Equifax to apply a key security patch for a third-party software exploit to its servers.
The breach was caused by an employee gaining access to the company’s servers via a misconfigured web application firewall. Had the firewall been configured correctly, the breach would never have happened.
Enforce access control policies
Roughly 885 million documents from insurance giant First American Financial were exposed on publicly accessible web pages for years. They included bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts, social security numbers and photos of driver's licences.
The company was the victim of an insecure direct object reference (IDOR), which occurs when a hacker guesses the pattern an application uses to refer to its stored data.
More recently, in January 2021, controversial social media platform Parler fell victim to the same vulnerability when 99% of its public contents were archived by a hacker.
IDOR is an access control vulnerability – because it’s a design flaw, the best way to investigate is through code reviews and testing.
Set permissions for employees
The personal data of up to 9.7 million Canadians was exposed in a breach at the Desjardins Credit Union in 2019.
The cause of the breach was a malicious employee transferring sensitive personal information collected by Desjardins from customers who had purchased or received products offered directly or indirectly by the organisation.
The information was originally stored in two data warehouses to which the malicious employee had limited access, but employees would regularly copy that information onto a shared drive in the course of fulfilling their duties. As a result, employees who didn’t have the required clearance to access some of the confidential data were able to do so.
Desjardin was unaware of the breach for over two years, until it was notified by the police.
The Office of the Privacy Commissioner of Canada (OPC) found Desjardins had not properly implemented policies and procedures for managing personal information. This meant access controls and data segregation of databases and directories were inadequate protection. The credit union also fell down on employee training and awareness, considering the sensitive nature of the personal information it dealt with.
We can help you address the wide range of cyber risks that your business faces, including phishing awareness, penetration testing, VPN, cloud security strategy assessment and mobile device management.