The fallout from a data breach or ransomware attack is devastating for financial institutions. There’s monetary loss, operational disruptions that threaten business continuity, and reputational damage to companies that are victimized by hackers.
At the end of June, California-based Patelco Credit Union detected a ransomware attack that involved unauthorized access to some of their databases. According to a notice, an investigation revealed that an unauthorized party gained access to their network on May 23, leading to access to the databases on June 29.
It took two weeks for some services to be restored and affected an estimated 450,000 customers.
Leaders at Patelco say that on Aug. 14, they confirmed the accessed databases contained personal information, including social security numbers, driver’s license numbers, and dates of birth. They are offering affected individuals a free two-year membership for Experian IdentityWorks Credit 3B.
“Please accept our apologies that this incident occurred. We are committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We continually evaluate and modify our practices and internal controls to enhance the security and privacy of personal information,” the notice says.
But credit monitoring and an apology may not be enough. Multiple lawsuits are popping up in California and other states.
The law firm of Federman & Sherwood in Oklahoma City has initiated an investigation with plans to pursue litigation through a class action lawsuit. Lawyers at Levi & Korsinsky in New York City are also planning to pursue a class action case against Patelco.
What can financial companies do in a world where hackers are working around the clock to crack into consumer databases?
Brad Blumberg, founder of Aster Key, a firm that helps financial services firms avoid data breaches, said it’s a twofold issue for companies.
“Part of it’s cultural, part of it’s technological,” he said. “Companies are getting hacked on one or two channels. They (hackers) are either getting into existing software or they’re tricking someone on staff to click on something so they can get access.”
A breach can be a major financial setback for a company.
“It’s devastating what these companies have to pay,” said Blumberg. “I saw loanDepot reported in their 10-K that they spent over $40 million in the first six months of the year on the breach. Mr. Cooper spent $26 million. And that’s not even including the litigation that’s coming down the line.”
For a lender that’s not tech-savvy, the hackers are always going to be one step ahead, Blumberg said.
“They’re determined. They can take years or months; they’re probably in everybody’s system,” said Blumberg. “Lenders have to start adopting zero trust architecture where you don’t trust any device, anything coming into your system, and you’re aware of it. And you have tools in the back end where you can see everything that’s going in. Everyone’s got to authenticate.”
Blumberg said bigger institutions can hire top security people but the data threats are constant. That’s why company leaders have to make sure employees are trained properly.
“Everybody’s got to be diligent,” he said. “Attackers are not playing golf on Sundays. They’re a lot more determined than I think we are.”
Blumberg said lenders should also embrace innovations in data security.
Combining advanced technology solutions with proactive cybersecurity practices and employee training can significantly reduce an organization’s vulnerability.
Bruce Phillips, senior vice president and chief information security officer at MyHome, a Williston Financial Group Company, said attackers, like the RansomHub gang, use increasingly sophisticated methods to breach security.
“They can exploit unnoticed vulnerabilities, making it a constant race for organizations to patch and protect their systems effectively,” he said. “In many incidents, breaches can be traced back to human error, such as clicking on a phishing email or poor password management, providing an entry point for attackers.”
As organizations grow, so does the complexity of their IT environments. Keeping every part secure becomes more challenging, increasing the attack surface for cybercriminals.
“Often, there’s a significant delay between the initial breach and its detection,” said Phillips. “For instance, the unauthorized access in the Patelco case occurred weeks before it was detected, allowing the attackers ample time to steal customer data.”
Regularly assessing an organization’s security posture can help identify and rectify vulnerabilities before they can be exploited.
“Employing state-of-the-art security solutions like advanced endpoint detection and response, network monitoring, and encryption can help in the early detection and prevention of breaches,” said Phillips. “Having a robust incident response plan ensures that the organization can quickly react to a breach, possibly containing it before any significant damage is done.”
Phillips said limiting access rights for users to the bare minimum can help reduce the risk of data exposure in the event of an account compromise. Ensuring that all software is up to date with the latest security patches is critical and encrypting sensitive data can significantly reduce damage even if a breach occurs, he said.
Editor Kimberley Haas contributed to this report.
