Security researcher Brian Seely recently discovered that a misconfigured Oracle Reports database server at bond insurer MBIA had exposed customer account numbers, account balances and other data for MBIA’s Cutwater Asset Management.
According to investigative reporter Brian Krebs, who first reported the breach, much of the data had been indexed by search engines, including a list of admin credentials that could be used to gain access to other data at Cutwater.
Data indexed by Google included account holders names as well as account and routing numbers for major accounts including the Texas CLASS, the Louisiana Asset Management Pool (LAMP), the New Hampshire Public Deposit Investment Pool (NHPDIP), Connecticut CLASS Plus, and the town of Richmond, New Hampshire.
In some cases, Krebs notes, the data indexed by search engines included detailed instructions on how to authorize new bank accounts for deposits, including the forms and fax numbers needed to submit such information.
“Malicious hackers finding dozens of universities or companies with Social Security numbers, health data or other information is devastating, but stumbling on bank accounts and the instructions for how to empty them is potentially catastrophic,” Seely told Krebs. “Billions in taxpayer funds, invested into one of the largest institutions in the world that were essentially being guarded by a sleeping security guard. What happens to those states when the money disappears?”
Seely told the Washington Post that when he first tried to contact MBIA about the exposed data, the company didn’t respond to his calls and emails.
“We are conducting a thorough investigation and will take all measures necessary to protect our customers’ data, secure our systems, and preserve evidence for law enforcement,” MBIA spokesman Kevin Brown said in a statement.
As Krebs notes, all organizations leveraging Oracle Reports Services should review the company’s guidance on securing such systems to ensure that they aren’t similarly exposed.
HyTrust president and co-founder Eric Chiu said by email that the MBIA breach serves as another stark example of insider threats, which can have a huge impact regardless of whether they’re accidental or malicious. “Additionally, misconfiguration is one of the major causes of breaches and downtime — the fact that thousands of customer records and administrative credentials were accessed is a reminder of the severe damage that misconfiguration can cause,” he said.
“The same policy-based controls and role-based monitoring to prevent insider threats are critical to prevent misconfiguration and alert companies to potential issues,” Chiu added. “With cyber criminals on the hunt for valuable data, companies need to be vigilant when it comes to protecting customer information.”
The MBIA breach isn’t unique — misconfigured servers have caused a spate of recent data breaches. In November 2013, approximately 2,000 Chicago Public Schools students’ personal information was exposed when a server was incorrectly configured; in January 2014, EasyDraft, which was processing payments for Bright Horizons Family Solutions, acknowleged that a misconfigured server had been exposing Bright Horizons customers’ names, bank routing numbers and bank account numbers since October 2012; and in May 2014, San Diego State University began notifying 1,050 people that a misconfigured server had exposed their names, Social Security numbers, birthdates and addresses.