ICBA Bancard Inc. subsidiary TCM Bank, a company that aids community banks in issuing credit cards to their customers, announced that the personal data of thousands of people who applied for credit cards with their local banks was exposed, according to Brian Krebs.
The information that was leaked between early March and mid-July 2018 included the names, addresses, dates of birth and Social Security numbers of thousands of people across the more than 750 community banks that work with TCM Bank. The leak was reportedly discovered on 16 July, then fixed the following day. TCM told KrebsonSecurity that the leak was from one of the third-party vendors that manages its website.
As a network of community banks, TCM Bank handles documents filled with personally identifiable information (PII), including credit card applications. In this instance, misconfiguration – a critical application-security risk – resulted in the a leak of customer information.
“Vulnerabilities and misconfigurations in websites are incredibly common, even among highly regulated financial services companies. Many businesses, across all industries, are still unaware of online business risks or have delayed taking appropriate action,” said Jessica Marie, cybersecurity evangelist at WhiteHat Security.
That the receiving organization is duty bound to protect the data customers share with it is a stance that policymakers have taken, as seen in regulations such as GDPR and New York Department of Financial Service's cybersecurity requirements. Increasingly, organizations are being held responsible for the security of their third parties, said Matan Or-El, CEO and co-founder of Panorays.
“When partnering with third parties, organizations cannot relieve themselves from the responsibility of security. In the eyes of the affected consumers, they provided the data to the organization and they hold that organization responsible.”
A potential result of a data breach for any organization is damage to brand and reputation, which is ironically what these community banks were trying to build by offering bank-branded credit card options to their customers.
“Trust is one of the most important elements in the relationship between banks and consumers. Customers trust their banks with the most sensitive of data, and any sort of breach can do real and lasting damage to the bank’s reputation in the eyes of consumers,” said Fred Kneip, CEO, CyberGRX.
“When an enterprise engages with a third party such as TCM Bank, they become responsible for that third party’s security controls. If there are easy-to-exploit vulnerabilities in their network, that becomes a part of your security posture. Companies need to understand that their third parties’ security controls are constantly vulnerable to new exploits or configuration changes, which creates a need to monitor and mitigate these risks as they arise.”