MBIA / Cutwater Data Breach
Google Search as a Hacking Tool
Page and linked image made visible on 10/12/14. See update at the bottom of this page (written before the page was made visible).
On October 7, Brian Krebs wrote that a day earlier he notified MBIA that sensitive account data for many of its customers had been visible on the Internet and had even been indexed by search engines. KrebsOnSecurity has been the first to provide relevant data breach information on a number of occasions. Numerous news outlets, from Reuters to the Wall Street Journal, have subsequently reported on the data breach.
This data breach is of a very nasty kind because the reportedly exposed information shows how to add or remove authorized bank accounts and contact names. There may be other controls in place that would stop this from happening, but it's troubling to see the mention of Seely Security's discovering admin login info for the database that would "grant access to nearly all of the customer account data on the server." This doesn't seem to have been discovered based in the search results. Search results certainly led to it though.
MBIA is one of the largest financial guarantee insurance companies. Along with other monoline financial guarantors, it ran into great difficulties when the financial crisis started. In retrospect, the effect of the crisis on financial guarantors was obvious and reflective of their significant expansion beyond municipal bond insurance, leading to their substantial direct or indirect exposure to mortgage-backed securities (mostly RMBS and CDOs of RMBS and other asset-backed securities). MBIA was part of S&P 500 until 2008.
-- Google Search as a Hacking Tool --
Because much of the data appears to have been indexed by Google, sensitive information was only a few clicks away. No sophisticated tools were needed to obtain information on account numbers with Cutwater, bank routing numbers and account numbers, balances or information on how to change some of this data. The step of getting information from Google is not hacking. And yet the result is exactly the same.
This goes beyond the general trend toward greater availability of sophisticated hacking tools that can now be bought online by script kiddies or other novice hackers at very low prices. The barriers to entry are much lower than they used to be.
-- Is Some Sensitive Information Still Exposed? --
The server that was reportedly compromised has been shut down by the company. No access to the information is available through company systems. The Google search results for accounts specifically referenced by Brian Krebs were quickly removed.
| 
|
However, there seem to be indirect ways of obtaining limited sensitive data. For example, Google still has the cached content showing an old monthly account statement that was available on October 7 in the same cached version. It is based on the content indexed by Google on September 29. This particular monthly statement has the account name, the account holder name, the account number, beginning and month-end balances, and more.
|
Account Takeover
Corporate account takeover is moving up on the list of financial cyber crimes. This type of fraud can have very serious consequences because the balance of a corporate account is often quite sizeable. While no fraudulent activities have been reported, this incident may be seen as an illustration of the growing threat of potential corporate account takeovers by cyber criminals.
Bizarre coincidence
The timing is ironic because Krebs informed the company about the breach on the same day when MBIA announced an agreement to sell its asset management subsidiary to BNY Mellon and filed an 8-K with the SEC about the agreement. The data breach reportedly happened at that very subsidiary, Cutwater Asset Management. Cutwater has $23 billion in AUM.
Notes
1. Alex Krutov has notified MBIA of this issue.
2. Potentially sensitive information on the screen shot linked to from this page has been redacted.
3. Assigning blame and making far-reaching conclusions is always easy. Some have labeled what has happened at MBIA as "negligence." We believe it's best to wait for all the facts to emerge before passing harsh judgements. A productive line of future inquiry may also be to compare cybersecurity at MBIA and the industry in general. The apparent data breach by itself, without any additional information, is not sufficient evidence that MBIA has been more deficient in cybersecurity and risk governance than most other companies in this industry. It may have even been better than the average. There is a clear need to improve information security and cyber risk management in most sectors of the economy.
Update
October 12, 2014
The cached Google search result referenced and linked to above (the screen shot of an account statement with details appearing to contain sensitive client information but redacted in the version we have posted) has been removed from Google search results. We do not observe any Google search results containing potentially sensitive information that may have been indexed off this MBIA server. None of the other major search engines appears to have any such sensitive information indexed off the mbiaweb.com or cc.cutwater.com.
Disclosure summary
The material herein should be considered journalistic commentary and expression of personal views. These views, commentary, the information they are based on, and the information mentioned in the content are subject to the limitations listed below. Any obligation to update this content based on additional or new information or to reflect any change in views or opinions is disclaimed. Where specific facts or news items are described, used as illustrations or serve as the basis for conclusions or observations, we advise caution and independent research of both the facts and any conclusions or observations. We advise the same caution where no facts are directly referenced or appear to be referenced. No content included or referenced on this site should be constituted as a recommendation, advice, statement or professional opinion of any kind. Any statement of professional opinion is identified as such, in the beginning and the end, in unambiguous manner. This page and other journalistic entries contain no such statements, opinions, recommendations or advice. No content posted here should be perceived as anything other than journalistic commentary or reporting. This website contains links to other sites that we do not endorse and that may contain information we have not reviewed or verified and in some cases may disagree with. These sites may express views we do not share, have privacy policies and security procedures we have not reviewed or approved, and have features or content you may find objectionable. See Terms and Conditions for additional information on limitations of liability and the terms of use.
