LMG Firm & Credit Union Solutions Group Spar Over Cybersecurity Issues

Credit Union Solutions Group said it notified 275 credit union web services clients using CUSG’s proprietary content management system (CMS) of a temporary vulnerability that was discovered and promptly remedied last October.

The Livonia, Mich.-based organization issued a statement on Tuesday afternoon after LMG Security, a cybersecurity consulting firm in Missoula, Mont., reported in a news release on Tuesday morning that it discovered three critical software vulnerabilities that posed a significant threat to hundreds of organizations in the United States. Emily Gosney, a cybersecurity consultant at the firm, detected these vulnerabilities in CUSG’s CMS web application and warned a malicious user could leverage these vulnerabilities to gain “ultra admin” access to any organization running this application.

CUSG acknowledged that the vulnerability was identified by LMG Security on Oct. 26, and that it was remedied by CUSG within 48 hours.

“CUSG was able to make the fixes independently without client impact or exposure,” CUSG said in a prepared statement.

However, CUSG noted that LMG failed to report in its news release that CUSG had immediately taken remedial action without client impact. CUSG also notified LMG of that omission and asked that they clarify this for its readers.

LMG said it took more than three months to report the vulnerabilities because it was following the IT industry’s best practices.

“The industry standard responsible disclosure best practice is to wait 90 days (in this case LMG waited longer than the standard 90 days) to announce the vulnerability,” LMG said in a prepared statement. “This allows the software supplier time to remediate the issues before a public announcement. If researchers and penetration testers made public announcements immediately, this could inform attackers of a vulnerability and cause breaches.”

LMG indicated it issued the news release on Tuesday morning without reporting that CUSG had fixed the vulnerabilities because it did not hear back from CUSG that the vulnerabilities had been patched. Nevertheless, the consulting firm acknowledged in an updated news release that CUSG contacted LMG later on Tuesday stating that the vulnerabilities had been remediated.

“CUSG also shared that they will add new proactive prevention processes to further enhance their security moving forward,” LMG said in its updated news release. “This serves as a good reminder that routine penetration testing is a best practice to catch these security gaps before a breach, especially in commonly overlooked web and cloud applications.”

Like other technology services providers, CUSG said, it conducts regular audits, engages outside consultants and relies on numerous partners to assure that all of its products minimize security risks for CUSG clients.

“Again, in this case, these continuous processes are an example of those efforts being successful,” CUSG said.