Why the ABA Got Hacked — and What It Means for Banks

ab100515aba.jpg

WASHINGTON — The number of recent data breaches is dizzying.

In recent days, Experian announced 15 million T-Mobile customers' data had been breached, the government raised its estimate of employees' fingerprints that had been compromised nearly fivefold to 5.6 million and Patreon said 2.3 million users' data had been dumped online.

By comparison, the American Bankers Association's announcement that its website had been hacked, resulting in access to 6,400 users' email addresses and passwords, might seem like small potatoes. Yet the attack against the industry trade group was still significant.

The ABA breach — the first ever at the association — may simply be due to greed, with hackers potentially trying to mine users' billing information. But observers said the targeting of ABA members also highlights a potential avenue for criminals to expose banks themselves, or may be a sign the trade group is susceptible to reputational issues still burdening banks seven years after the crisis.

Some experts said the hacking of a trade association website, where users enter personal details to sign up for events or order publications, should raise alarm bells about perpetrators potentially wanting access to credentials an employee might use at a member institution.

"It helps whoever has that data potentially to learn more about the bank that that individual is tied to," said Mercedes Tunstall, a partner at Pillsbury Winthrop Shaw Pittman LLP.

Dmitri Alperovitch, co-founder and chief technology officer at CrowdStrike Inc., said cybercriminals will target a trade group or nonprofit not necessarily to access data about that organization.

"In many of these situations the organizations themselves don't have any proprietary data that criminals or in some cases nation-states would be interested in, but what they do have is information on contacts in that sector," Alperovitch said.

But others said it is possible the ABA could be targeted for the same reasons banks have been in hackers' crosshairs.

"It could be something vindictive from an activist group, and there are activist groups for just about every industry," said Darren Hayes, assistant professor and director of cybersecurity at Pace University's Seidenberg School of Computer Science and Information Systems in New York. "It could be anything from Anonymous, who doesn't like big business and doesn't like the banking industry, all the way up to Iran."

The ABA, which learned of the breach Wednesday, announced it in a letter emailed late Thursday to any customer who had a "shopping cart" on the ABA's site. User login information was posted online, though the group said it has not seen evidence of fraud or that the hacker accessed payment information. The group was informed about the breach by the Financial Services Information Sharing and Analysis Center.

Doug Johnson, senior vice president and the ABA's chief adviser on payments and cybersecurity policy, said that, while there have been past hacking attempts to target the group, "this is to my knowledge the first time that we have seen information in terms of passwords and IDs essentially be compromised."

Johnson said the trade group is "less inclined to worry about the motivation and more inclined to worry about the incident response." After learning of the breach, he said, the group tried to gather more details before announcing it to members.

"We knew we would not know everything when the announcement went out, but we needed to know enough and we felt a real obligation to get the email announcement out as soon as we possibly could to everybody who was essentially in the shopping cart," Johnson said.

Johnson and others noted the potential for hackers accessing email address information to try to use it for "spearphishing," which is when a criminal tries to send a virus or malware from a seemingly trustworthy address. Johnson said one reason the ABA alerted members was "to ensure that individuals were aware of the fact that they could be spearphished."

But observers said the targeting of the ABA shopping cart might suggest hackers were also potentially interested in users' credit card information, or to see if login information could be used on other online sites.

"The majority of hackers couldn't care less about the reputational aspect. They're going after money," said Ron Shevlin, director of research for Cornerstone Advisors.

The ABA told customers that if they used "the same password to access other sites," such as Amazon or airline sites, "we strongly recommend you change those passwords as well."

"When criminal cyber actors are targeting and looking to monetize the information that they are stealing, oftentimes they just scan for certain types of vulnerabilities and it doesn't matter what organization they wind up hacking; it is just the organization that ends up having that vulnerability," said Austin P. Berglas, senior managing director at K2 Intelligence and a former assistant special agent in charge of the Federal Bureau of Investigation's cyber branch in New York.

As with other breaches where hard information about the perpetrator is lacking, other theories abound.

Tunstall noted that some hacking groups are motivated by a desire to highlight security gaps in the government and financial sectors.

"Potentially, this kind of hack could show that, even if the banks have done a better job of circling around, there are also all sorts of other groups that have pretty good information that is tied to those banks and those groups need to take it seriously too. That's possible," she said.

The true motives behind the ABA breach may never be known.

"We only hear about the really high-profile cases," Hayes said. "Everybody is being breached and this is happening on a daily basis."

For reprint and licensing requests for this article, click here.
Law and regulation Data breaches Bank technology Cyber security
MORE FROM AMERICAN BANKER