Data of Thousands of Card Applicants Exposed

Credit card issuer TCM Bank, which works with some 750 small and community U.S. financial institutions, including credit unions, exposed the personal information of thousands of individuals who applied for accounts.

Brian Krebs in his blog KrebsOnSecurity reported between early March 2017 and mid-July 2018, TCM Bank exposed the names, addresses, dates of birth and Social Security numbers through a website misconfiguration.

As reported by Krebs, in a letter mailed to affected customers, TCM said the information exposed was data card applicants uploaded to a Web site managed by an unnamed third-party vendor. TCM said it learned of the issue on July 16, 2018, and had the problem fixed by the following day.

Krebs said an attorney working with TCM on its breach outreach indicated the breach affected fewer than 10,000 consumers who applied for cards, less than 25% of the applications processed during the related period potentially affected, and less than 1% of its cardholder base.

TCM is a subsidiary of Washington, D.C.-based ICBA Bancard Inc., the payments subsidiary of the Independent Community Bankers of America, which represents more than 5,700 financial institutions. On November 27, 2017, ICBA filed a lawsuit on behalf of all community bankers against Equifax Inc. following the credit reporting agencies’ exposure of some 148 million consumer records and 209,000 payment cards. (CUNA and at least 19 credit union leagues and more than 40 credit unions also took legal action against Equifax.)

Jessica Marie, cybersecurity evangelist at San Jose, Calif.-based WhiteHat Security, commented on the incident: “Vulnerabilities and misconfigurations in websites are incredibly common, even among highly-regulated financial services companies. Many businesses, across all industries, are still unaware of online business risks, or have delayed taking appropriate action. This is unfortunate for them and their users, since websites typically house sensitive customer data.” According to WhiteHat Security research, an alarming number of web applications remain always vulnerable and susceptible to attack every day.

“As a network of community banks, TCM Bank handles documents filled with personally identifiable information, including credit card applications. Unfortunately in this instance, misconfiguration, which is one of the most critical application security risks, caused a significant leak of customer information,” Marie said. She noted every company that touches consumer data needs to make security a consistent, top-of-mind concern, with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites, databases. “Organizations that rely on digital platforms should also empower developers to code using security best practices throughout the entire software development life cycle, with proper training and security certifications.”

Alisdair Faulkner, chief identity officer at San Jose, Calif.-based ThreatMetrix, a LexisNexis Risk Solutions Company, maintained, “It’s no longer just about these massive data breaches; what happens next is a billion-dollar problem. You don’t need to break through the window if you can walk in the front door, which is why identity information is so valuable for cybercriminals. In the wake of data breaches, we see fraud attack volumes double or triple on our global network.”

Faulkner noted hackers use this leaked information to piece together convincing synthesized identities, open new lines of credit, hack into existing accounts and make fraudulent purchases. To proactively defend themselves and their consumers, digital businesses need to assess each and every customer transaction based on whether it is their true digital identity – or a fraudster posing as them. “Breached identities are the key to our digital lives. Organizations will be held accountable for not changing the locks, even if they’re the victims themselves.”