Discovering a Vendor Data Mistake: A Lesson from the Fiserv Flaw

Michael Berman

3 min read

Sep 5, 2018

Have you ever swapped out a number or letter in a URL to skip to another page? Cybersecurity researcher and ethical hacker, Kristian Erik Hermansen, did just that with startling results.

Hermansen received an email alert from his bank and noticed an “event number” in the URL. By editing the event number in his browser, he was able to access other bank customers’ sensitive information, including their email, phone number, and full account number, KrebsOnSecurity reports.

The problem was the result of a security flaw in a Fiserv application that emails customers account activity alerts. The bad news was that it was not limited to one bank, a Krebs investigation uncovered.

Brian Krebs followed up on Hermansen’s research by opening an account at two other Fiserv banks and was able to see email addresses, phone numbers, alert parameters, and partial account numbers for other customers just by changing a single digit.

Fiserv has since fixed the problem, but it’s unclear how many banks were affected, how long this flaw has existed, and whether it was exploited in phishing or social engineering attacks.

The Good News

Once Fiserv heard about the problem from KrebsOnSecurity, the problem was promptly solved.

“Fiserv places a high priority on security, and we have responded accordingly,” Fiserv spokesperson Ann Cave said to KrebsOnSecurity. “After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”

The Bad News

Krebs heard about the flaw from Hermansen one week before beginning his investigation. Then it took several days to conduct his own investigation. During this time the problem went uncorrected even though Hermansen says he informed his bank of the problem and “tried unsuccessfully to get the attention of different Fiserv employees, including the company’s CEO via LinkedIn.”

What went wrong? I couldn’t begin to say. Perhaps Hermansen told someone at his bank about the problem, but that person didn’t think to pass the information up the line. Perhaps it did go up the line, but got lost in the shuffle of an overstuffed email inbox. I’d like to think if the bank told Fiserv about it, the flaw would have been corrected just as quickly as it was when contacted by the media.

Vendor Risk Management Procedures

Regardless of what happened, your institution needs a plan so everyone knows what to do in the event a vendor issue develops. That includes:

A system for handling customer complaints. Being able to access other customer’s data is a serious complaint, one that should be promptly logged and corrected. Make sure your institution has policies and procedures in place for handling customer complaints. That’s not just a potential vendor management issue. It’s a regulatory expectation.

Clear in-house reporting requirements for vendor issues. In this case a customer uncovered a problem, but it could easily have been an employee who discovered an issue with a third-party product, system, or service. Make sure you have procedures for passing along information about vendor issues, and train staff on what to do. Make it clear who information should be reported to and how it should be reported. Include follow up procedures to ensure nothing gets lost.

Knowing which vendor, employee, or department to report issues to. If you encounter a security flaw or other issue, make sure you know exactly who to contact at the company. Don’t just send an email to a generic email box. Also ask for estimates for how long before the problem will be fixed, what will be done to solve the problem in the short term, and how you will be updated with developments.

Vendors make mistakes. We all do. Make sure you have plans in place to ensure that when mistakes are uncovered they are dealt with promptly and properly.

You can’t count on the media to pounce on the problem every time.

Related: Vendor Risk Countdown: Top 10 Risks Third-Party Vendors Pose to Your Financial Institution

Subscribe to the Nsight Blog

All Topics Risk & Compliance Product Insight Banks Lending Compliance Credit Unions Risk Management Fair Lending Nfairlending Cluster: Risk Management Compliance Lending Compliance Management Integrated Risk Blog Nrisk Regulatory Compliance Management News & Updates HMDA Risk Mortgage Lenders Ncomply Vendor Management Business Resiliency CRA Lending Compliance Blog Vendor CFPB Ncontinuity Third-Party Vendor Management Business Continuity Cybersecurity Fintech NVendor Strategic Planning Ncyber Ntransmittal Audits & Findings Company Culture OCC Regulatory Updates Audit Nverify Regulatory Compliance Exams FDIC Compliance Management Findings Nfindings NCUA Contract Management Employee Intranet Contract FRB Business Continuity Management FFIEC Findings Management Ncontracts manager Third-Party Vendors Vendor Risk Enterprise Risk Management ABA Bank Access Control Audit Findings Board Portal Call Report Due Diligence Efficiency Employee Engagement Exam findings FIEC Inc. 5000 Internal Audit Management Nboardportal Verify Wealth Management

Solutions

Risk Solutions

Vendor Solutions

Compliance Solutions

Lending Compliance

Risk Performance Management

Software Solutions

Risk Management Software

Vendor Management Software

Compliance Management Software

Continuity Management Software

Fair Lending Compliance Software

Findings Management Software

Audit Management Software

Cybersecurity Assessment Software

1071 Compliance Software

Employee Network/Intranet Software

Accredited Certification Program

Banks

Credit Unions

Mortgage Lenders

Fintech

Wealth Management

Nsight Blog

Webinars

Ncast Podcast

Regulatory Pulse

Events

Nsider Community

Dig into our Nstitute Certified Vendor Management Professional Training!

Featured Resources

Webinar: What Does Resilience Look Like?

Regulatory Pulse March 2024

Webinar: The Future of Risk Management

9 Fair Lending Compliance Training Essentials

Podcast: Succeeding All Together, Banking and Company Intranets

Book: The Upside of Risk

Resource Hub

About Us

News

Leadership

Partnerships

Join the Team

Ncontracts Highlights

Ncontracts Launches Nstitute & the Certified Vendor Management Professional (NCVMP) Certification

Ncontracts named Top Workplace for Third Consecutive Year in 2023

Ncontracts and CBANC Release New Report

Event: Ngage 2023 Nashville

Discovering a Vendor Data Mistake: A Lesson from the Fiserv Flaw

The Good News

The Bad News

Vendor Risk Management Procedures

Related: Vendor Risk Countdown: Top 10 Risks Third-Party Vendors Pose to Your Financial Institution

Subscribe to the Nsight Blog

Share this

You May Also Like

3 Lessons Learned from a Third-Party Vendor Breach

OCC: Marketplace Lenders Are Third-Party Vendors

Is Your Third-Party Vendor Contract Specific Enough When It Comes to Cybersecurity?