Database intrusion at Franklin Savings and Loan
Technorati Tag: Security Breach
Date Reported:
9/10/08
Organization:
Franklin Savings and Loan
Contractor/Consultant/Branch:
None
Location:
Cincinnati, Ohio
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, telephone number, Social Security number, account number, and account balance
Breach Description:
"A Franklin Savings database was accessed - breached - by an unauthorized individual."
Reference URL:
Franklin Savings online statement
WCPO Channel 9 News
Report Credit:
Franklin Savings
Response:
From the online sources cited above:
Letters are going out to customers of Franklin Savings and Loan, one of Cincinnati's oldest banks.
An unauthorized individual gained access to a database housing Franklin Savings customer information.
[Evan] How do you suppose this happened? SQL injection? Two things. One, there was obviously a vulnerability that was exploited that allowed the unauthorized individual to gain access to the database. Two is more of a question. Why wasn't the vulnerability identified before it was exploited? Web applications should be developed with information security involvement from the beginning and regular penetration testing should go a long way towards identifying what was missed (hopefully before bad guys/gals do).
personal information may have been accessed, including the following:
We have no indication to date indicating that the accessed information has been inappropriately used, but we are taking numerous precautions to protect our customers.
We have de-activated the web site that was accessed, we have notified law enforcement authorities, who have begun a criminal investigation, and we are conducting an internal investigation.
Franklin Savings also mailed a written notice to all customers who may have been affected.
Franklin maintains a strict "Know Your Customer Policy".
No withdrawals, inquiries, or address changes will be permitted without proper identification.
[Evan] Of course this does little to prevent fraud if a person's identification has been compromised, i.e. identity theft!
Review your Franklin Savings account statements very carefully. If you see something that looks suspicious or that you do not understand, call us immediately at .
As additional protection for our customers, Franklin Savings has arranged to provide you with identity theft protection using the Debix Identity Protection Network for one year free of charge.
If you have questions about this matter, please contact the Franklin Savings Data Breach Hotline at during normal hours of operation: 10 am - 9 pm EDT Monday through Friday and 11 am - 5 pm EDT Saturday and Sunday.
The privacy and safety of our customers' personal information and accounts is our highest priority.
[Evan] Actually Franklin Savings' highest priority is making money (it's a business), but that doesn't sound quite as good.
We stand ready to assist any customer who may have been affected.
We regret that any customer may have been impacted by this unfortunate incident.
Commentary:
There are many details missing in the breach notification letter, so we are left to speculate. The letter is signed by Gretchen J. Schmidt, President & CEO. I almost always admire when a corporate leader addresses customers and employees on information security matters. After all, the information security buck ultimately stops with the organization's leaders.
Past Breaches:
Unknown

9/10/08
Organization:
Franklin Savings and Loan
Contractor/Consultant/Branch:
None
Location:
Cincinnati, Ohio
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, telephone number, Social Security number, account number, and account balance
Breach Description:
"A Franklin Savings database was accessed - breached - by an unauthorized individual."
Reference URL:
Franklin Savings online statement
WCPO Channel 9 News
Report Credit:
Franklin Savings
Response:
From the online sources cited above:
Letters are going out to customers of Franklin Savings and Loan, one of Cincinnati's oldest banks.
An unauthorized individual gained access to a database housing Franklin Savings customer information.
[Evan] How do you suppose this happened? SQL injection? Two things. One, there was obviously a vulnerability that was exploited that allowed the unauthorized individual to gain access to the database. Two is more of a question. Why wasn't the vulnerability identified before it was exploited? Web applications should be developed with information security involvement from the beginning and regular penetration testing should go a long way towards identifying what was missed (hopefully before bad guys/gals do).
personal information may have been accessed, including the following:
- Name
- Social Security number
- Address
- Telephone number
- Account number
- Account balance
We have no indication to date indicating that the accessed information has been inappropriately used, but we are taking numerous precautions to protect our customers.
We have de-activated the web site that was accessed, we have notified law enforcement authorities, who have begun a criminal investigation, and we are conducting an internal investigation.
Franklin Savings also mailed a written notice to all customers who may have been affected.
Franklin maintains a strict "Know Your Customer Policy".
No withdrawals, inquiries, or address changes will be permitted without proper identification.
[Evan] Of course this does little to prevent fraud if a person's identification has been compromised, i.e. identity theft!
Review your Franklin Savings account statements very carefully. If you see something that looks suspicious or that you do not understand, call us immediately at .
As additional protection for our customers, Franklin Savings has arranged to provide you with identity theft protection using the Debix Identity Protection Network for one year free of charge.
If you have questions about this matter, please contact the Franklin Savings Data Breach Hotline at during normal hours of operation: 10 am - 9 pm EDT Monday through Friday and 11 am - 5 pm EDT Saturday and Sunday.
The privacy and safety of our customers' personal information and accounts is our highest priority.
[Evan] Actually Franklin Savings' highest priority is making money (it's a business), but that doesn't sound quite as good.
We stand ready to assist any customer who may have been affected.
We regret that any customer may have been impacted by this unfortunate incident.
Commentary:
There are many details missing in the breach notification letter, so we are left to speculate. The letter is signed by Gretchen J. Schmidt, President & CEO. I almost always admire when a corporate leader addresses customers and employees on information security matters. After all, the information security buck ultimately stops with the organization's leaders.
Past Breaches:
Unknown
Comments