London: Commenting on reports that cybercriminals are holding stolen bank customer data for electronic ransom in return for 150,000 euros, Venafi suggests this case is almost certainly one of many in the global banking industry.
According to the Enterprise Key and Certificate Management (EKCM) solutions specialist, anecdotal reports have been circulating in banking circles for several years of cybercriminals extorting money from financial companies whose IT systems have been compromised – typically the result of poor access controls and IT management worst practices.
“The problem with these reports is that the institutions – obviously fearful of brand reputational damage – have simply paid up the money and kept quiet on what has happened. This case appears to be one of the rare occasions when the details have been made public by the hacktivist group concerned,” said Jeff Hudson, Venafi CEO. “And you can’t get more public than the Pastebin service, and the message about the `idiot tax’ the hackers have reportedly left for the media,” he added.
Hudson went on to say that, if newswire reports are to be believed, the stolen customer data – a sample of which has been detailed in the media release – includes extensive, confidential customer information from the mortgage and consumer credit division of a Belgian bank.
We great sympathy for the management of the bank concerned - which is now in the impossible situation of either letting the Friday electronic ransom deadline pass and watch their customer’s data posted publicly on the Internet. Or, he explained, they can pay the ransom, and risk the ridicule of being the first bank to publicly pay cybercriminals a payment of this type - and make themselves a potential target for other hackers – or even the same group of hackers who may have other information and equally malicious intent.
The Venafi chief executive says that the Belgian bank is now in a no-win situation of being damned if its does – and damned if it does not – pay the `idiot tax’ to the hacktivist group.
What makes matters worse, he adds is that the hackers report that the customer data was left unprotected and unencrypted on the bank’s servers, with the hacker’s terminology – idiot tax – making the situation even worse than it already is.
“While it is good to hear that the bank is reported to have told reporters that it is not planning to yield to this type of blackmail, the bottom line is that potential clients of the institution will not exactly be encouraged to apply for a loan with the bank concerned,” he said.
“This all comes down to the lack of security on the bank’s servers. The information should have been high-level encrypted and the keys to the database accessed and managed by the correct IT personnel only. This isn’t rocket science, and the bank’s IT security staff deserve to be castigated over the affair, which is going to cost the bank millions in lost potential profits,” he added.
“All too often, organizations have failed to place strong controls and policies around protecting customer information. There are simply no longer any excuses for this, especially when it comes to leveraging encryption. Automated solutions make it easy and cost-effective to deploy and manage these critical security instruments across even the most complex global networks. “
“And this is before we get into the inevitable lawsuits from customers who personal financial affairs are going to be smeared across the Internet.”