Potential Bank Customer Data Exposed through Fiserv Platform Flaw

Security researchers and cybersecurity experts recently discovered a weakness in Fiserv’s web platform, which may have exposed the personal and financial details of customers across hundreds of internet banking sites. The flaw involved a messaging platform used by Fiserv to send account alerts to customers of Fiserv-affiliated banks. These alerts can be set up to notify the customer of certain events, such as when a balance passes a threshold. Someone noticed that the alert was provided in the form of a link to a web page having a numeric event identifier in the web address, like 17835. They found that by changing the number they could access an alert for another customer. So, for example, by simply changing 17835 to 17836 and leaving the rest of the web address the same, the user could access an alert for another customer. This would show the user another customer’s email address, phone number, and the last four digits of the customer’s bank account number in addition to allowing the user to view and even edit alerts setup by the other customer. The user could even edit the email address or phone numbers where the other customer’s alerts would be sent. Fiserv has reportedly addressed this flaw by making the messages no longer sequential, replacing the event identifier number with a pseudo-random string of characters.

KrebsOnSecurity made this discovery public today. Data security breaches are key risk areas for businesses, and an effective breach management process can help minimize that risk. While there are still many unanswered questions, we anticipate many banks and financial services organizations who utilize the Fiserv platform may receive questions from customers, users, investors and, possibly, regulators. Organizations who may be at risk should consider engaging their Incident Response Team to review any abnormal log-ins and conduct an internal investigation. In addition, organizations should review their vendor services agreements (including those with Fiserv) to determine who is ultimately responsible for data security incidents.

If you have any questions about the Fiserv platform flaw or data incident response, please contact one of the attorneys in the Privacy, Security and Innovation team at Bradley.

View Original Source
Photo of Erin Jane Illman Erin Jane Illman

Erin Illman has over a decade of experience representing corporate entities, technology companies and financial institution clients in a wide variety of regulatory compliance, litigation and contract matters. Erin’s current practice combines her technology, financial and corporate entity experience and is focused on helping companies navigate compliance and litigation risks associated with information security, digital services and products, cybersecurity, e-commerce and data privacy. View articles by Erin

Photo of Steve Snyder Steve Snyder

Steve Snyder is a member of Bradley’s Banking and Financial Services and Cybersecurity and Privacy teams. He leverages his industry experience as a network engineer and cyber risk manager to assist clients in navigating the increasingly complex matters related to data protection arising from emerging technologies. Steve is a thought leader in privacy and data security and routinely writes and speaks on cybersecurity topics.

Photo of Lesley Smith DeRamus Lesley Smith DeRamus

Lesley DeRamus has over 25 years of experience advising financial institutions on consumer protection laws and regulations impacting their operations. She regularly advises financial institutions on regulatory issues and develops forms, procedures and strategies for compliance. Also, she frequently advises clients on issues related to agency examinations and litigation matters. Lesley has advised institutions on both deposit and credit regulatory issues.  View articles by Lesley