In a report released in late May to Fidelity National Information Services (FIS) customers, the FDIC disclosed FIS breach in 2011 was worse than originally reported. Among the items revealed, the report disclosed that
- vulnerability scan reports from November 2012 still showed 18,747 network vulnerabilities and over 291 application vulnerabilities as past due.
- While financial losses were low, the attackers obtained technological information that could present a significant risk to other organizations and may be linked to recent pre-paid ATM cash-out frauds.
- “From review of the previous investigation reports, along with other documentation provided by FIS, examiners and payment card industry experts identified over 2,000 touch points that indicated a broad exposure of internal FIS systems and client related data,”
Since the breach, FIS invested $100M in improving security at the institution. Investigators probing the breach at FIS may have been denied key clues about the source of the intrusion because FIS incident response personnel wiped many of the compromised systems and put them back on the network before the machines could be properly examined.
Of particular interest is the manner in which the FDIC relesed these findings. The organization released its report directly to FIS customers with a cover letter that began with the message, “We are sending you
this report for your evaluation and consideration in managing your
vendor relationship with FIS.”
Brian Krebs provides a phenomenal overview of the report and the current situation at FIS. You can read his blog entry here. Meanwhile, I would expect other financial institutions to receive more questions about vulnerability, patch management, and other basic security blocking and tackling practices
No comments:
Post a Comment