Flagstar’s data breach, and what banks can learn from it

Flagstar Bancorp fell victim to a recent data breach in which personal information of employees and customers, including Social Security numbers and mailing addresses, was leaked and the thieves sought to extort some employees.

The hackers exploited a flaw in Accellion’s File Transfer Appliance software, which the bank was using to secure sensitive content. Dozens of other Accellion clients were affected by the incident, including the law firm Jones Day, Harvard Business School and the Reserve Bank of New Zealand.

The $31 billion-asset Flagstar, of Troy, Mich., declined a request for an interview but pointed to the breach notification it posted on its website on March 6.

The incident is a reminder that though banks generally have top-notch security, they are still vulnerable to threats involving the software they use and the third-party vendors with which they work, and even the vendors with which those vendors work.

The case also highlights the relatively new trend of cybercriminals leaking portions of sensitive customer data to coerce companies or individuals to pay money to stop the leaks. And it demonstrates that even midsize and smaller banks may need to invest in sophisticated attack simulations and cyberthreat-hunting exercises in addition to all the security practices they already follow.

“We are seeing a clear trend of attacks on third-party suppliers, especially software vendors, to the financial sector as well as other industries,” said Steve Silberstein, CEO of the Financial Services Information Sharing and Analysis Center. “While financial services firms tend to have robust cybersecurity controls and defenses, third and fourth parties performing critical services for multiple valuable clients will continue to be lucrative targets for threat actors with a variety of motivations.”

Public pressure on banks is only building as consumers say they care heavily about how the companies they work with protect their data. A recent consumer survey by Arizent, the parent company of American Banker, found that nearly eight out of 10 consumers consider security a primary or important consideration when choosing banks.

What can other banks do to avoid falling victim to this kind of attack? The answer is to educate themselves on how they occur, understand the potential consequences and adopt cutting-edge defensive measures.

How the breach happened

Hackers broke in through several vulnerabilities in Accellion’s File Transfer Appliance software that they exploited to inject malicious code into the program, which enabled them to extract personal information, according to an investigation conducted by FireEye Mandiant.

The attacks, which were conducted in December and January, were zero-days, meaning that at the time they hadn’t been seen before and there were no available patches. Accellion issued patches within four days of the first attack.

“When we looked at the hackers’ ability to apply that vulnerability and create an exploit that worked, it really appeared like it was somebody that was very experienced who had invested quite a significant amount of time creating the exploit,” said David Wong, cybersecurity leader and incident responder at Mandiant, a consulting unit of FireEye.

Accellion engaged FireEye Mandiant to investigate the attacks on its FTA software, to review the FTA software for any other potential security vulnerabilities and to produce a report.

Somewhat ironically, Accellion describes FTA as a content firewall, and companies buy it to protect their most valuable data. So for the victims, this breach was like buying a safe and putting your most expensive jewelry in it, only to have burglars break into that safe and grab all that jewelry, leaving the rest of the house intact.

It’s unclear who the hackers were, according to Brett Callow, threat analyst at Emsisoft, a threat investigation and anti-malware provider.

A ransomware gang called Clop published some of the stolen data on the dark web and then threated victims it would publish more if they didn't pay up, according to Callow.

“But it's not clear whether they were actually responsible for the hacks or whether they were simply brought in because extortion is their area of expertise,” Callow said.

The FTA software is 20 years old and was due to be retired at the end of April. Accellion has been working for the past three years to migrate customers to a new version of the software, kiteworks, while still supporting FTA.

Wong sees the breach as a third-party as well as a first-party risk.

“If you use vendors for printing credit cards or sending statements, you're still responsible for the security of those third parties,” he said. “So if you're a bank and you have third parties that are using Accellion FTA and they were hacked, you have a responsibility to make sure that your customers’ data is secure.”

For instance, some of the victims of the Accellion data breach were law firms.

“If you uploaded information about your customers to a law firm that was affected, you have a responsibility to go check with those vendors to make sure you understand what data was stored there and whether it was possibly compromised,” Wong said.

Extortion effort

An unusual aspect of this attack, Wong said, is that the criminal gangs used the stolen information as leverage to pressure employees to pay to prevent more data from being made public.

Ransomware groups have been exfiltrating stolen data and posting some of it on the dark web to motivate companies to pay ransom since late 2019. In most such cases during the past year, they would start shutting down systems and encrypting data, then start using the stolen data for extortion.

In this case, there was data theft and extortion, but no encryption of files. This could be because the hackers were unable to obtain access to the entire corporate network.

“They're slowly extorting victims a couple at a time,” Wong said. “They probably have more victims to try to extort money from than they actually have time. There were some that came out in December and January, and three more came out in early March. So it seems like they're trying to take their time, and try to maximize the amount of money that they're going to get out.”

Like demands for ransom, extortion is exceedingly tricky to deal with.

“The best answer is, the organization should never pay because that incentivizes cybercrime,” Callow said. “If nobody paid, the attacks would stop. But realistically, when companies are faced with the choice of either having their data exposed to the public or losing access to it permanently, the answer may not be so obvious.”

Typically in such attacks, hackers make a copy of an organization’s data, which they keep, and encrypt the company’s version of it so it becomes inaccessible, Callow said.

If a company pays the criminals to prevent its data from being published, “all they receive is a pinkie promise from the criminal that they won’t do this,” Callow said. And some organizations have been extorted twice with the same set of data, he said.

There doesn’t seem to be a playbook yet for what to do when you’re extorted.

“It's a very challenging situation for victims of cyberattacks and extortion, because companies want to protect their customers, so they can at least notify them and encourage them to take some measures to try to protect themselves, by checking their credit reports and whatnot,” Wong said. “At the same time, when you're looking at potentially paying off these criminals, nobody wants to do that. It just sounds so bad. And if you pay these guys, it's like adding fuel to the fire — you're just encouraging them to commit more crimes.”

U.S. bank regulators have also warned banks that some cybercriminals are associated with terrorist organizations.

“If a bank makes a payment, wittingly or unwittingly, to a terrorist organization like that, that's a federal crime,” Wong said. “It's a very difficult situation, because if you don’t pay, invariably what the attacker will do is start releasing data, which potentially can cause some harm to customers. As the bank, the best thing you could do is find out what data was there, do forensic analysis, and then notify customers.”

Red-teaming, other defensive tactics

Two defensive tactics banks can use to try to avoid falling victim to a breach like this one are red-teaming — simulating attacks to measure how well you are prepared to respond — and threat-hunting.

“The premise behind threat-hunting is to assume you are already compromised and have a team comb your systems for what the compromise is,” Silberstein said. “To do this effectively, cyberdefense teams should understand the current threat actors targeting the sector and their attack strategies. FS-ISAC produces intelligence reports for security testers that detail attack scenarios that they can use internally to detect the same malicious behaviors.”

Most banks do have these kinds of defense tactics in place, Callow said.

“Ransomware attacks are very common across most sectors, but it's quite rare for U.S. banks to be affected,” Callow said. “And that's because generally they do have quite good security.”

Some banking regulations, for instance from the New York State Department of Financial Services and the interagency Federal Financial Institutions Examination Council, recommend vulnerability testing, network scans and annual penetration tests as well as red teaming.

Such efforts might not necessarily catch a zero-day vulnerability, Wong cautioned. A best practice is to “build computer systems assuming that part of your network might get hacked, your network is not always going to be perfect. The attackers are going to be able to find some cracks, but what you want to be able to avoid is a small flare-up turning into something that burns down the entire building.”

Another best practice is to constantly audit and test controls, Wong said.

“It would be like making sure all your locks are locked in, your windows are closed before you go to bed at night,” Wong said. “You want to be able to check that before you go to sleep, make sure you have a good lock that can't be picked.”

Many banks share information about their attacks as soon as they can with organizations like the FS-ISAC.

“If you subscribe to those sources and you get that information quickly, you could be able to be proactive at either identifying the attacks or knowing that they're coming, and mitigate it before it happens,” Wong said.

A standard breach response for banks is to provide customers with free credit monitoring for a year, so in theory they can see if their account data is being used to take out loans or credit cards.

Some say a year is not enough.

“Some groups have said: ‘Go ahead and do that. We'll just sit on this data for a year and then defraud your customers,’ ” Callow said.

For reprint and licensing requests for this article, click here.
Cyber security Data breaches Flagstar Bancorp
MORE FROM AMERICAN BANKER