Why We
Can't Have Nice Things
A Tale of Two Heists of Major Financial
Institutions
Every pet owner knows there are many differences between dogs and cats. One such difference is if a dog runs around the house, and knocks over a table with a vase on it, and thus causing the vase to come crashing down and breaking into pieces, when the dog's owner comes in and sees the broken vase, the repentant pooch will come crawling up to the owner showing a sad face with its big brown doggie eyes that say, "I'm sawwhee."
A cat, on the other hand, might deliberately knock a vase off of a table and then sit in the middle of the chards of the shattered vase simply admiring its feline handiwork. The expression on the guilty critter's face will say to its owner: "What vase? I don't see any broken vase. Whaddya talkin' about?" I say this as a life long cat lover.
Our tech companies and other major institutions can also be divided up between those that take responsibility for their part in the dismal state of our cybersecurity, and those that do not. Nothing illustrates this better than the responses of two major financial institutions that have announced recent data breaches.
The month of February 2024, saw two major financial institutions announce data breaches. Bleeping Computer, on February 12, 2024, was the first to report on the data breach that will impact Bank of America and its customers. The formal announcement of a data breach affecting Bank Of America came in a filing with the Office of the Attorney General for the State of Maine. The stated date of the breach was October 29, 2023; and the date the breach was discovered was October 30, 2023. What is troubling here is that the required notice to Bank of America customers was dated February 1, 2024. A delay of three months from discovery of the breach to informing those who might be affected is, or at least should be, unacceptable.
The incident occurred, not through the hacking of BofA directly, but because a third party servicer was hacked. Infosys McCamish Systems (IMS), was the initial source of the compromise. Neither BofA nor Infosys McCamish have had much public comment about the breach. As was reported by many sources now, the data breach at Bank of America was announced by its purported perpetrators, the Russian ransomware actors, Lockbit, on an X (Twitter) posting November 4, 2023. No one was apparently paying attention then, however.
According to all reporting, 57,028 BofA customers have potentially had their personal data residing on the bank's servers compromised. Yet, as CPO magazine reported, February 15, 2023, a non-public filing in the state of Texas, suggests a similar event occurred with bank customer data in the Lone Star State.
A statement by the Attorney General of Texas, where there appears to have been a similar but non-public filing, indicates that a broad range of sensitive information may have been accessed by the hackers: bank account and credit card numbers, Social Security numbers, dates of birth and extensive contact information.
The CPO report caps that piece of information with the unsettling statement, "IMS claims that it cannot say with certainty exactly how much of this was accessed by the attackers."
Compare this glaring lack of transparency and responsibility to both its customers — and potentially to its stockholders — by BofA and its third party contractor with the positive action taken by Prudential Financial, Inc. In a filing with the Security and Exchange Commission, dated February 12, 2024, the insurance giant reported in great detail that it was the victim of a cyberattack and data breach that had occurred February 4, 2024. The breach was subsequently detected February 5, 2024. As of this date, there is no reporting how many, if any, Prudential customers' data was compromised. What the company does say on its K-8 form is that:
As of the date of this Report, we believe that the threat actor, who we suspect to be a cybercrime group, accessed Company administrative and user data from certain information technology systems and a small percentage of Company user accounts associated with employees and contractors.
There is much speculation about why Prudential acted so promptly in reporting the incident. One such reason may be that, as reported by Think Advisor, August 24, 2023, 320,840 customers of the financial services giant had their data stolen in the Clop Move-it debacle in the summer of 2023. The Dispatches devoted several weeks to covering this long running attack. There is currently a class action complaint pending against Prudential over being victimized by Clop Move-It. Case 2:23-cv-04617, filed by "BRUCE PARKER, on behalf of himself and all others similarly situated," can be read here. [pdf will open.] Indeed, several law firms are soliciting victims of the latest attack on Prudential. So maybe prudence by Prudential was a better option this go around.
Another reason for the promptness of the Prudential response is that, in fact, the firm is in compliance with new reporting requirements now in place whenever a publicly traded entity suffers a data breach. The new requirements gives the victim entity four days to announce a breach. There may another reason for Prudential's prompt reporting at play here. As was reported by DarkReading, November 17, 2023, "digital lending service provider MeridianLink" had refused to play along with ransomware group, AlphaV (AKA BlackCat), when those criminals had attacked MeridianLink. As the DarkReading article said, the crooks "also tried out an unprecedented extra extortion tactic, filing a report about its own crime to the SEC, claiming that its victim failed to follow new SEC guidelines for how soon companies have to publicly disclose their breaches." As ALPHAV told the SEC:
It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.
That may well be the weirdest example ever of a modern version of cops and robbers.
Whatever were Prudential actual motives in its timely reporting are less important than the fact that it made such a prompt public announcement of this latest attack on the financial services giant. For this Prudential should be commended. In contrast, as of the date of this research and writing, neither Bank of America nor Infosys Camish have made any public utterance about their mutual data breach, other than the original statement published on the Maine AG website. Are they simply lazy, or do they fear what might be coming next because of either the breach itself, or the delay in reporting? As Forbes Advisor reported, February 15, 2024,
However, consumers whose data may have been compromised were not notified of the security failure until February 1, or about 90 days after the breach was discovered, potentially violating state notification laws.
Bank of America is already embroiled in one pending class action lawsuit arising from a data breach that occurred, February 2023. The complaint is pending in United States District Court, Eastern District Of Pennsylvania, Case 2:23-cv-01340-KNS. [pdf will open.] According to Microsoft Copilot, "As of now, legal counsel for the defendants has not yet appeared in court." As they say, "Stay Tuned."
Postscript February 19, 2024 6:00 am PST
A local North Carolina television station website, WSOCTV.com, is reporting this AM that:
Thousands of customers in North Carolina may have had their information leaked after a Bank of America data breach.... The North Carolina Attorney General’s Office says more than 3,200 Bank of America customers in the state could have had their social security numbers and names leaked.
I repeat. As they say, "Stay Tuned." For surely, there is more to come.
And I love to live so pleasantly
Live this life of luxury
Lazin' on a sunny afternoon
— Sunny Afternoon, The Kinks
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||