By now, you’ve already heard that hackers ‘may have’ stolen around 90,000 records worth of information, including usernames, passwords, security questions & answers, birthdays and social insurance numbers, and more, from the Bank of Montreal (BMO) and Simplii Financial (CIBC).
For me, the fact that the banks were hacked was not surprising. The sophistication of attacks is ever-increasing, and banks are often targeted.
Neither was the fact that a ransom was demanded, rather than the sale or publicization of the stolen records. Holding assets hostage (such as personal user information, credentials, intellectual property, etc) has become a common tactic. It’s usually represented by ransomware.
So, you may be expecting heads to roll at the banks. Customer information is at risk, there’s vast potential for fraud… shouldn’t the axe fall on some security analyst who dropped the ball?
You will be surprised to learn that (at least in the case of BMO): no, it should not. … And, maybe even: no, it won’t.
Why? They made the right moves:
1) They told the public
Unlike other high-profile breaches where customer information was stolen (Equifax; Uber), the banks involved went public with it right away. To be fair, if we’re to believe the email circulating amongst media outlets (purportedly sent by the hackers), it was going to become public anyway. At least they got in front of it.
2) They detected the intrusion, and responded (albeit poorly) to it
That same email asserts that “[BMO] noticed quite quickly” when hackers began extracting data.
BMO then throttled the channel by which the hackers originally accessed the data (I’m paraphrasing). This could have been in response to the traffic they saw therein. One commenter alludes to the possibility of the mis-detection of a DDoS attack, to which the response of throttling the channel starts to make a little more sense.
At the end of the day, are customers going to switch to another bank over this? Given the multiple institutions targeted, would you feel your information was any safer at another bank? I think most people will simply (no pun intended) change their passwords, security questions, and watch for subsequent fraudulent activities. All with the bank’s assurance that if they are defrauded, it won’t cost them anything.
Having considered the customer perspective, what about the cybersecurity perspective? I will say that the moves BMO made were in keeping with the new cybersecurity paradigm of detection and response. That the response was insufficient, likely has more to do with the role of the person who made it, rather than them having made a mistake.
Time, and the subsequent actions of the perpetrators, will tell us of the ultimate impact to BMO & Simplii.
That said, my focus here is on action, not outcome. Here’s what they did wrong:
1) They failed to proactively address the vulnerability
Once again assuming that “hacker email” is authentic in both the source and the content of the message, it asserts that in BMO’s case the vulnerability existed since January of this year. Even if we say the end of January (the ‘hackers’ aren’t specific with the date) that leaves 115 days between the date of the vulnerability and the date of the exploitation thereof. Far too long to have remained unaddressed or partially addressed.
2) Their priorities were misplaced (this is reflected in their response)
They placed greater importance on preserving access to online service, than on the security of their customers. Or, at least somebody within the organization did. The safe thing to have done, would’ve been to close the channel through which they had detected suspicious activity, rather than throttle it.
Do those failures belong to the person who responded? No.
Were they systematic in nature, given that they appear to have been rooted in the paradigm of detection and response? Probably not – it depends on whether BMO knew they remained vulnerable. If they didn’t know, it was a mistake. If they did know, at 115 days, they were systematically negligent; far worse, in our space.
In the end, both “what they did right” and “what they did wrong” reinforces the need for a dedicated detection and response engine, coupled with the timely and proactive remedying of vulnerabilities that enable such attacks.