First Horizon Bank Customers Have Account Funds Drained

A leading US bank has revealed a data breach in which over 100 online customers had their funds accessed by an unauthorized intruder.

First Horizon Bank claimed in a filing with the Securities and Exchange Commission (SEC) yesterday that less than $1 million was stolen in total from those accounts.

The attack itself seems to have relied on stolen or brute forced customer credentials, plus the exploitation of a vulnerability inside the financial services company.

“Based on its ongoing investigation, the company determined that an unauthorized party had obtained login credentials from an unknown source and attempted access to customer accounts,” the SEC filing explained.

“Using the credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 online customer bank accounts, had access to personal information in those accounts, and fraudulently obtained an aggregate of less than $1 million from some of those accounts.”

First Horizon, formerly known as First Tennessee Bank, said it had remediated the bug in question, reset the affected customer passwords and reimbursed those impacted by the breach.

“Based on its ongoing assessment of the incident to date, the company does not believe that this event will have a material adverse effect on its business, results of operations or financial condition,” it concluded.

Given the bank's profits exceeded $500 million last financial year, the raid would indeed not seem to have made a serious impact on its bottom line.

However, experts argued that the incident should serve as a warning for IT security teams that layered defenses are essential today.

“Training users on security, such as recognizing phishing and fake websites, is a start, but not enough,” said Timothy Chiu, VP at K2 Cyber Security.

“Organizations also need network, system and application security to protect their assets.  Application security adds the final layer, protecting applications that may have unknown or unpatched vulnerabilities.”

What’s Hot on Infosecurity Magazine?