Bank’s Personally Identifiable Information (PII) Valuable Assets (to Sell)
Banks have the privilege of collecting our data and storing this for their uses. As the
banks store this data and information, the banks are acting as stewards of this data. Being a
steward and responsible, there are certain aspects of InfoSec which a reasonably prudent bank
would deploy to protect the bank, its assets, and customer’s data.
Apparently, there was an issue with two bank which allowed an oversight to occur. In May 2018, the Bank of
Montreal and Simplii Financial, owned by CIBC announced their alleged breach. Simplii Financial is CIBC’s direct banking brand. The affected clients number at approximately 90k people. These may have been accessed by the attacker or the people the data was sold to, as evidenced by the Bank of Montreal receiving a tip stating a limited number of people’s accounts had been accessed by unauthorized parties.
After the breach was noted and analysis began, Simplii began to implement additional
measures to improve their online cybersecurity. This included, but was not limited to, fraud
monitoring and actions to monitor online banking to a greater measure. To make things worse, the attackers threatened to release the data from the compromise and exfiltration. The attackers would not release this if they were to happen to pay them $1M on or before May 28th. The Bank of Montreal did not pay the attacker’s ransom, but are however focusing their efforts on their clients.
In this day and age, banks and other entities and institutions have to be more proactive
in implementing a defense in depth to ensure, as much as possible, the security for the client’s
data. At times, budgets, internal politics, and other timing issues slow these implementations.
These however should be pushed more to the front of development and implementation. The
alternative is to be breached, have the opportunity to publish the breach and claim only highly
trained “hackers” could have done this, etc., and pay fees.
Sources
https://www.ehackingnews.com/2018/05/two-financial-institutions.html,
http://www.palada.net/index.php/2018/05/29/news-6184/, &
http://www.cbc.ca/news/business/simplii-data-hack-1.4680575
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.