The importance of having a breach response in place

Mar, 2015 Categories: Banks Spotlight

The possibility of a bank’s systems being hacked are increasing, regardless of the size of the bank. In addition to the well-publicized breaches of mega and regional financial institutions, we are witnessing more reports of attacks on smaller community banks. Your bank should have a workable breach response plan in place on which your staff can quickly rely and follow immediately upon the discovery of a breach.

As banks continue to refine their methods in securing systems, hackers are fine-tuning their skills as well, finding more ingenious ways to crack into systems and ATMs:

Attack through third-party vendors.
In the most recent case of the JP Morgan attack, hackers used sophisticated methods to obtain customer data through infiltrating both the bank’s systems through a corporate event website they sponsor, the JP Morgan Corporate Challenge. According to reports, the Russian hacking gang obtained the website certificate for the site’s third-party vendor which allowed them to access communications between visitors and the site, including passwords and email addresses.

Direct Infiltration of ATMs.
Another creative and emerging form of attack is on ATMs where criminals gain physical access to the machine, typically by posing as repair techs–complete with uniforms and fake credentials–and install malware by plugging a USB directly into the machine. The thief is able to walk up to a machine, open the enclosure with a universal key or passcode (similar to hacking fuel pumps at gas stations to skim credit card information) and install malware that compromises the software. This form of attack is being used increasingly more because it is more profitable than attaching skimming hardware. The malware can sit undetected in the system for a longer period of time, thereby allowing the thieves to thoroughly and quickly drain an ATM before it is noticed or serviced by official bank personnel.

Malware installed by email attachment.
Recently, a community bank’s system was accessed due to malware delivered by email to a teller. From all appearances, the email from a spoofed government site looked legitimate so the teller opened the attachment. The attachment masked a virus which snaked through the bank’s network, installing malware which allowed the hackers access to various systems and files (including a Microsoft Office language pack translator which was manipulated and activated by the malware, most likely to translate English key strokes into a foreign language). The hackers were able to access and make changes to a number of customer accounts. Luckily for the bank, a customer noticed a simple discrepancy on their statement and notified the bank, which was able to act quickly to the attack before loss of any customer funds. This bank’s staff was able to respond efficiently because a breach response program was in place.

Below is a brief overview of the bank’s actions which helped them succeed in handling the breach and communicating to customers what had occurred:

  • Bank staff assessed the situation, notified senior management and began an initial analysis todetermine the potential issue as soon as they were notified by the customer.
  • Once it was determined that there was a potential breach, management met, formed a response team and consulted their formal breach response program for next steps.
  • More in-depth analysis and forensic reviews of all bank and vendor systems were conducted by thebank’s IT in coordination with external vendors to determine the breadth and scope of the breach.Affected computers and systems were taken offline to prevent further spread.
  • In addition to the spoofed government agency, other parties were immediately notified, including potentially affected vendors as well as the bank’s accounting and legal advisors.
  • Law enforcement divisions were contacted, including the Secret Service and state/local police departments.
  • Once it was determined to what extent external communications were needed, it was decided that only the affected customers needed to be contacted. These customers were promptly contacted by a specially trained team of customer service reps, formed specifically to handle this situation. Each CSR was paired with a bank officer or manager and provided with a phone script, including an explanation to the customer of what occurred and next steps. Additionally, notifications were mailed to these customers.
  • To establish new accounts for the affected customers, meetings were held at times and branches convenient for the customer. Accordingly, branch office hours were extended to accommodate these customers, who were also provided an identity protection package.
  • Afterwards, the bank made what they felt were necessary changes to certain systems, software and protocols in order to decrease the potential occurrence of future breaches.

Overall, the bank was able to determine, isolate and shut down the breach and send out initial customer communication within 5 days after the initial customer alert. Because they had the foresight to develop and institute a breach response plan, the bank’s staff was able to effectively handle this crisis.

Does your bank have a breach response plan?
Resources are available for you and your staff to develop and implement a breach response plan. If your bank is a member of the American Bankers Association, you can learn more or access materials such as a Full Communication Tool Kit at or contact ABA’s Doug Johnson (Djohnson@Aba.Com) or Heather Wyson (Hwyson@Aba.Com) at 800-BANKERS.

Also, if your bank is not a member already, consider joining FS-ISAC (The Financial Sharing and Analysis Center), a nonprofit organization uniquely dedicated to the financial industry as a go-to resource for cyber and physical threat intelligence and information sharing. Visit Fsisac.Com or call Member Services at 877-612-2622 for more information.

Any discussion relating to policy language and/or coverage requirements is non-exhaustive and provided for informational purposes only. For details on coverage provided by your specific policy, please refer to your policy.