Headlines about breaches and compliance penalties give us a strong idea of what we do not want for our security programs. Of the breaches in 2020, the financial sector had the highest percentage at 17 percent, as noted in the 2021 Application Protection Report. With breaches, come regulator attention. In 2017, New York’s Department of Financial Services (NYDFS) enacted 23 NYCRR Part 500 regulations, calling out explicit cybersecurity requirements for financial services firms. Since then, three financial services organization that were breached have faced sobering consequences for failing to meet the NYDFS law. This article looks at each of them in detail.
Business Email Compromise via Phishing Unreported
On March 5, 2019, a Residential Mortgage Services employee received an email apparently from a business partner. It was phishing email that duped them into revealing their password on a malicious website. Luckily, the email system was protected by multifactor authentication (MFA). Unfortunately, the employee granted approval to a prompt for MFA authorization four times in row, even though it was after hours. The next day, upon receiving a fifth MFA prompt, the employee alerted IT. An investigation concluded that the email account was indeed compromised, but the impact was limited and the matter closed.
On March 30, 2020, during an NYDFS assessment that included a review of this incident, examiners found that Residential Mortgage Services failed to perform breach notification, even though the affected email account contained sensitive customer financial data. They also found that Residential Mortgage did not have a comprehensive documented cybersecurity risk assessment.1
Residential Mortgage Services was fined $1.5 million.
Key Lessons
- Business email compromise (BEC) is huge issue, accounting for 27 percent of breaches in 2020.
- Phishing is a significant threat. MFA is helpful but not perfect.
- Attackers will go after your users with persistence and guile. Security awareness training must be robust and complete.
- Comprehensive risk assessments are critical to strong security and robust compliance.
Severe Web Exploit Went Unpatched for Years
In October 2014, First American Title rolled out a new version of EaglePro, a web-based document delivery system that employees and partners use to access real estate title documents. Some of these documents contain customer data such as bank account numbers, mortgage details, tax records, Social Security numbers, and driver’s license images.
In December 2018, First American Title conducted a penetration test against EaglePro. The test discovered that by manipulating the URL line, authentication could be bypassed. Furthermore, this vulnerability was so easily exploited that search engine indexing had already accessed over 5,000 documents.
The vulnerability remained unpatched due to a series of operational glitches, including assigning the fix to a new employee with little security experience, accidentally lowering the priority from medium to low, and not sharing the test report with the remediation owner.
In May 2019, journalist Brian Krebs reported the vulnerability after hearing from a concerned customer who discovered it by accident.2 During the ensuing NYDFS investigation, the chief information security officer (CISO) “disavowed ownership” of the issue, stating that such controls were not the responsibility of the security department.3 Furthermore, NYDFS regulations also require encryption for documents containing sensitive financial information. Since the vulnerability was first introduced, it was estimated that tens of millions of records had been exposed.
First American Title settled with the U.S. Securities and Exchange Commission (SEC) for $487,616.4 The NYDFS judgment has not yet been determined.
Key Lessons
- Vulnerability management is hard but there are ways to prioritize remediation to ensure the right holes are closed in a timely manner.
- Ownership of cybersecurity risks, especially application security risks, must be crystal clear and well communicated.
- Even the CISO can’t fix security problems directly; the security team still needs to track major risks and cybersecurity compliance issues.
Multiple Phishing Breaches, Partial MFA
National Securities Insurance suffered four major phishing breaches between 2018 and 2020. In April 2018, its CFO’s Office 365 email account was discovered to be forwarding to an external account. IT determined that the CFO had clicked on a phishing email that exposed sensitive customer information. The breach was reported to the individuals involved and the appropriate state attorneys general offices but not NYDFS.
In March 2019, National Securities discovered unauthorized access to its tax software document management system. The attack was found to originate from a phishing attack on an employee’s Office 365 email account. All potentially impacted customers were notified, as well as the IRS, the SEC, the FBI, the local county sheriff’s office, but not NYDFS.
In September 2019, an unverified change to an employee’s direct deposit account triggered an investigation that discovered that the employee’s email had been compromised through phishing. All potentially impacted individuals were contacted.
In April 2020, an independent contractor reported a suspicious transfer of funds in the amount of $200,000. An investigation uncovered more illicit transfers due to a phishing attack on the contractor’s Office 365 email account. All potentially impacted individuals were contacted.
An NYDFS review revealed that MFA for email had not been fully rolled out. All National Securities corporate employees’ email accounts had been migrated to Google Suite with MFA, but not all the contractors’ accounts. Furthermore, the review showed that National Securities had more than 60 third-party applications with sensitive customer information, but not all with MFA.5
National Securities was subject to a judgment of $3 million.
Key Lessons
- Inventory and reduce sensitive data sprawl as much as possible, because if you possess it, you must secure it all the time.
- MFA is powerful but not easy to roll out. Here are some tips and tricks for implementing MFA.
- Incident response plans need to include a detailed list of who needs to be notified. Here’s five questions to measure your incident response capability.
The Future
As the headlines continue to fill with breaches, legislators will layer on more security regulations. While 2020 saw a lot of breaches, we should expect more in 2021. And when those happen, victims and regulators will look for negligence. Make sure your security program is robust and can stand up to judgment.