File containing Interbank FX customer information exposed for almost a year
Technorati Tag: Security Breach
Date Reported:
4/9/08
Organization:
Interbank FX, LLC ("IBFX")
Contractor/Consultant/Branch:
None
Victims:
Customers and prospective customers prior to April 2, 2007
Number Affected:
Unknown
Types of Data:
"social security number, driver's license, and passport information, and may also include your Interbank FX account information"
Breach Description:
In April, 2007 an employee posted a file to an insecure server that was accessible via the Internet. The file contained personal information belonging to certain persons who applied for an Interbank FX account prior to April, 2007. Interbank FX became aware of the exposure on March 28th, 2008.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
The letter to victims is signed by Todd B. Crosland, CEO and President of Interbank FX
[Evan] This fact is important to note. I admire corporate leaders who step up and respond to an incident. Mr. Crosland seems to understand his role very well as it pertains to information security. Business leaders are the people that are ultimately responsible for the security of the organizations they run.
We are writing to inform you of a matter that may affect you. The security of some personal information you provided as you considered our service was inadvertently compromised.
Interbank FX has thoroughly investigated the matter, has taken immediate steps to protect your information, and is taking the additional precautions outlined in this letter to assist you in monitoring and guarding the security of your personal information.
The incident involved an electronic file dated April 2, 2007, which contained personal information provided by certain individuals who had applied for an Interbank FX account prior to that date.
Around that time, an employee uploaded the file to a computer server accessible via the internet.
[Evan] So, sometime around April, 2007 is the date of the actual exposure.
The employee's action - placing the file outside of the Company's development lab, firewalls and secure computing environment - was contrary to Interbank FX policies and procedures and compromised the security of the information in the file.
[Evan] I understand what the meaning of this statement is, but I also want to make it clear that a "development lab, firewalls, and secure computing environment" do not ensure security. There is a lot of room for interpretation.
The file contained the information you provided to us when you opened or considered opening an account with us. This may include your social security number, driver's license, and passport information, and may also include your Interbank FX account information.
Upon learning on March 28, 2008 that this information was available outside our secured computing envirornnent, the Company took immediate steps to secure the information.
[Evan] The breach was discovered (by Interbank FX) almost a year later. The window of exposure was pretty long.
Within hours of that discovery, all files containing sensitive personal information were removed from the server and brought within the Company's firewalls and electronic security controls.
We also terminated the employee's access to all personal information in Interbank FX 's files.
You are receiving this letter because your application information was provided prior to April 2, 2007.
The incident does not affect anyone who applied for an Interbank FX account after April 2, 2007.
Interbank FX is committed to protecting your personal information. Thus, we are offering you the opportunity to enroll, at no cost to you, in Equifax Credit Watch(TM) Gold with 3-in-l Monitoring for a one-year period.
[Evan] Although one-year has become a sort of de-facto standard in breach responses, it is not long enough. A Social Security number is valuable for a much longer period of time.
We also will reimburse you for the direct cost of any freeze you choose to put on your credit file as a result of this issue.
[Evan] I though that this statement was interesting. Maybe I don't read breach notifications thoroughly enough, but I don't think I have seen this offer before.
As an additional precaution, we also encourage you to change any password you created for your Interbank FX account prior to April 2, 2007.
We have established a toll-free hotline () to answer your questions and assist you in signing up for the Equifax Credit WatchTM program. We ask you to notify us immediately if you notice (or have noticed) any unusual activity in any of your accounts.
We regret this incident and apologize for any inconvenience.
Commentary:
One year of exposure is a very long time for confidential information. I wonder how the company finally learned about the presence of the file(s). What do you suppose are the chances that the employee who uploaded the file:
1. Was not aware of the "Interbank FX policies and procedures" that pertained to his/her actions?
2. Was not aware that the file contained sensitive personal information?
3. Was not aware that the server was insecure and accessible publicly?
4. All of the above?
Personnel that handle sensitive information must be trained and re-trained. These personnel must also be reminded regularly through an ongoing awareness program.
Past Breaches:
Unknown
Date Reported:4/9/08
Organization:
Interbank FX, LLC ("IBFX")
Contractor/Consultant/Branch:
None
Victims:
Customers and prospective customers prior to April 2, 2007
Number Affected:
Unknown
Types of Data:
"social security number, driver's license, and passport information, and may also include your Interbank FX account information"
Breach Description:
In April, 2007 an employee posted a file to an insecure server that was accessible via the Internet. The file contained personal information belonging to certain persons who applied for an Interbank FX account prior to April, 2007. Interbank FX became aware of the exposure on March 28th, 2008.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
The letter to victims is signed by Todd B. Crosland, CEO and President of Interbank FX
[Evan] This fact is important to note. I admire corporate leaders who step up and respond to an incident. Mr. Crosland seems to understand his role very well as it pertains to information security. Business leaders are the people that are ultimately responsible for the security of the organizations they run.
We are writing to inform you of a matter that may affect you. The security of some personal information you provided as you considered our service was inadvertently compromised.
Interbank FX has thoroughly investigated the matter, has taken immediate steps to protect your information, and is taking the additional precautions outlined in this letter to assist you in monitoring and guarding the security of your personal information.
The incident involved an electronic file dated April 2, 2007, which contained personal information provided by certain individuals who had applied for an Interbank FX account prior to that date.
Around that time, an employee uploaded the file to a computer server accessible via the internet.
[Evan] So, sometime around April, 2007 is the date of the actual exposure.
The employee's action - placing the file outside of the Company's development lab, firewalls and secure computing environment - was contrary to Interbank FX policies and procedures and compromised the security of the information in the file.
[Evan] I understand what the meaning of this statement is, but I also want to make it clear that a "development lab, firewalls, and secure computing environment" do not ensure security. There is a lot of room for interpretation.
The file contained the information you provided to us when you opened or considered opening an account with us. This may include your social security number, driver's license, and passport information, and may also include your Interbank FX account information.
Upon learning on March 28, 2008 that this information was available outside our secured computing envirornnent, the Company took immediate steps to secure the information.
[Evan] The breach was discovered (by Interbank FX) almost a year later. The window of exposure was pretty long.
Within hours of that discovery, all files containing sensitive personal information were removed from the server and brought within the Company's firewalls and electronic security controls.
We also terminated the employee's access to all personal information in Interbank FX 's files.
You are receiving this letter because your application information was provided prior to April 2, 2007.
The incident does not affect anyone who applied for an Interbank FX account after April 2, 2007.
Interbank FX is committed to protecting your personal information. Thus, we are offering you the opportunity to enroll, at no cost to you, in Equifax Credit Watch(TM) Gold with 3-in-l Monitoring for a one-year period.
[Evan] Although one-year has become a sort of de-facto standard in breach responses, it is not long enough. A Social Security number is valuable for a much longer period of time.
We also will reimburse you for the direct cost of any freeze you choose to put on your credit file as a result of this issue.
[Evan] I though that this statement was interesting. Maybe I don't read breach notifications thoroughly enough, but I don't think I have seen this offer before.
As an additional precaution, we also encourage you to change any password you created for your Interbank FX account prior to April 2, 2007.
We have established a toll-free hotline () to answer your questions and assist you in signing up for the Equifax Credit WatchTM program. We ask you to notify us immediately if you notice (or have noticed) any unusual activity in any of your accounts.
We regret this incident and apologize for any inconvenience.
Commentary:
One year of exposure is a very long time for confidential information. I wonder how the company finally learned about the presence of the file(s). What do you suppose are the chances that the employee who uploaded the file:
1. Was not aware of the "Interbank FX policies and procedures" that pertained to his/her actions?
2. Was not aware that the file contained sensitive personal information?
3. Was not aware that the server was insecure and accessible publicly?
4. All of the above?
Personnel that handle sensitive information must be trained and re-trained. These personnel must also be reminded regularly through an ongoing awareness program.
Past Breaches:
Unknown
Posts Atom 1.0
Im not surprised by this breach. Interbank has had lack security measures for some time. I believe they have improved their processes recently but for many years they were abismal.
Reply to this
One year is indeed paltry for 'credit protection.' In fact, the entire affair smells to high Heaven.
Look carefully at what Todd the Snake Crosland's press release said. It's fairly clear the employee was instructed to post this data on the website it ended up on, and that the instruction came from IBFX staff. The employee wasn't even disciplined, let alone terminated. Does that tell you something?
At any rate, there is nothing -- repeat, nothing -- that IBFX could do to remedy such a breach. The damage potential is endless and the repercussions could come in any form, at any time.
It's unbelievable nonsense that IBFX 'took immediate steps to secure the information. ' -- a year after it was first made public. There is no 'securing' of private data once it's put up for all to see.
Since Todd knows where the info was posted, the server logs should tell him who accessed it. Hmm. That's a good question to ask him.
Clients' personal data was published on the internet. It's GONE. You cannot ever take it back. By now, a full database has no doubt been compiled by multiple parties including things about you and your finances you didn't even know yourself.
And not only clients. Anyone who APPLIED for an account; Anyone who STARTED applying for an account, meaning: you filled out a screen or two of the web-based application info, but then perhaps thought better of it and closed the browser window.
Guess what? Yes, you, too.
Reply to this