Bank Data Security Breaches: Numbness or Negligence?
High-profile data breaches and leaks continue to happen. Why are banks and organizations still lax in securing their most valuable data?
12 February 2019
Technology news site TechCrunch recently reported that more than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S., have been found available online after a server security lapse.
The breach exposed “decades’ worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life.”
Amazingly these high-value data were not password protected and, worse still, were unencrypted. The personal information was held by Ascension, a third-party that processes loan and mortgage data on behalf of many High Street banks.
In the same week, the BBC reported that Google was fined €50 million (US $57m) by French data regulators under the General Data Protection Regulation (GDPR), implemented in 2018. This is one of the first major fines as a result of GDPR being implemented to protect individuals’ privacy and security.
There are almost daily articles about major data breaches by large corporates, banks and healthcare companies. Given the scale of the Ascension data breach and the lack of security around that information, the question has to be asked: Are banks and financial organizations numb or negligent in handling their most valuable data?
Corporations have rushed to comply with the GDPR, spending millions of dollars to implement protections for the personal data they hold. Failing to protect that information could see them levied with fines up to 4 percent of their annual revenue. In Google’s case that could equate to US$4bn after their record $100bn year. Given the threat of these fines, you would expect banks to protect their data at all times. So how is it that sensitive personal information is still turning up on the Internet?
Although protections are in place for much of the data stored, large organizations are often negligent when sharing data with third parties, either through partnerships with companies such as Ascension or through the carelessness of their employees who often share critical data by email or with unsecure cloud-sharing tools.
A better way forward
Here’s what I think needs to happen to reduce the number of major breaches:
Any organization that holds or processes customer data should be held accountable for encrypting those sensitive data for their entire lifecycle, from inception to deletion. The technology is readily available to make that a reality today; however, investment in those technologies is still lacking.
Banks should be held accountable for holding their third-party vendors to the same security standards they impose on their own systems.
I’m sure all banks will be reviewing their risk assessments following this latest leak. As part of vendor management procedures, banks should only work with highly secure, audited vendors. Blindly trusting a vendor is no longer acceptable; financial institutions need to verify the protections their partners utilize.
Due to the vast number of breaches and leaks reported, customers are becoming accustomed to data breaches. More and more we are reading about breaches but failing to take action.
The first step we all need to take is to look inward. When was the last time you validated if your data were made available as a result of a breach? When was the last time you changed your password when you were notified of a breach impacting you? Will it take a major crisis such as identity theft or financial loss to occur before we take action?
Unfortunately, it will likely take a major fine of a bank or financial institution before many boards of directors finally take responsibility for data protection and ensure their customers’ personal information is safeguarded.
Will 2019 be the year that a bank is hit with the maximum fine that regulators are now able to impose under GDPR? As it stands now, it will take a major event to change the attitude from numbness and negligence to one of security and protection.
Daren Glenister is the Field CTO for Intralinks. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product road map and the evolving secure collaboration market. Daren brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions.