Potential Bank Customer Data Exposed through Fiserv Platform Flaw

Security researchers and cybersecurity experts recently discovered a weakness in Fiserv’s web platform, which may have exposed the personal and financial details of customers across hundreds of internet banking sites. The flaw involved a messaging platform used by Fiserv to send account alerts to customers of Fiserv-affiliated banks. These alerts can be set up to notify the customer of certain events, such as when a balance passes a threshold.  Someone noticed that the alert was provided in the form of a link to a web page having a numeric event identifier in the web address, like 17835. They found that by changing the number they could access an alert for another customer. So, for example, by simply changing 17835 to 17836 and leaving the rest of the web address the same, the user could access an alert for another customer. This would show the user another customer’s email address, phone number, and the last four digits of the customer’s bank account number in addition to allowing the user to view and even edit alerts setup by the other customer. The user could even edit the email address or phone numbers where the other customer’s alerts would be sent. Fiserv has reportedly addressed this flaw by making the messages no longer sequential, replacing the event identifier number with a pseudo-random string of characters.

KrebsOnSecurity made this discovery public today. Data security breaches are key risk areas for businesses, and an effective breach management process can help minimize that risk. While there are still many unanswered questions, we anticipate many banks and financial services organizations who utilize the Fiserv platform may receive questions from customers, users, investors and, possibly, regulators. Organizations who may be at risk should consider engaging their Incident Response Team to review any abnormal log-ins and conduct an internal investigation. In addition, organizations should review their vendor services agreements (including those with Fiserv) to determine who is ultimately responsible for data security incidents.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bradley Arant Boult Cummings LLP | Attorney Advertising

Written by:

Bradley Arant Boult Cummings LLP
Contact
more
less

Bradley Arant Boult Cummings LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.