A previously reported attack against Fidelity National Information Services (FIS) two years ago was actually much more widespread than initially reported according to a document released to banks from the FDIC late last month.
Compounding matters, as of the FDIC’s audit FIS had not taken the appropriate steps toward securing banking information and protecting itself against future attacks.
The report, dissected by KrebsonSecurity, notes that “many additional” servers were implicated in the attack and that some malware exploits “were never properly identified or assessed.” The attack has been re-branded from a “pre-paid card fraud event” to a “broader network intrusion.”
The note, the result of two separate FDIC audits in 2011 and last October, was sent to scores of FIS customer banks on May 24, and came almost two years after the company publicly filed the breach with the Securities and Exchange Commission (SEC) on May 3, 2011.
In that filing, FIS claimed “7,170 prepaid accounts may have been at risk” and that “three individual cardholders’ non-public information may have been disclosed.”
The FDIC found though that about 100 client financial institutions appear to have had their data exposed, and that more than 2,000 touch points allowed the attackers thorough access through ports like The New York Currency Exchange ATM network, along with other “Internet banking, ACH, and wire transfer systems.”
Based out of Jacksonville, Florida, FIS processes prepaid debit cards. Legitimate information from 22 of those cards was harvested in 2011 so attackers could go into FIS’ database to eliminate each card’s withdrawal limit then clone those cards. Co-conspirators in countries such as Russia, Spain, Ukraine, Sweden and Greece received the cards and whenever the amount of money on them got low, hackers could remotely refill the cards. Over the course of the weekend, hackers siphoned about $13 million of the company’s money via ATMs.
Since losing that $13 million, the company has since put $100 million toward fortifying its IT infrastructure over the last two years, according to an email to Krebs from FIS. Despite that $100 million, the FDIC points out that FIS neglected to enforce adequate password management and failed to properly update its network to keep it safe from hackers.
The company used blank, default and non-expiring passwords, a problem that almost directly contributed to the 2011 hack, with while a scan of the company’s system found almost 20,000 network vulnerabilities and that almost 300 application vulnerability updates had been left overdue.
Since FIS is a facilitator for banks – it handles payment technology for more than 14,000 financial institutions across the globe – it’s vulnerable to audits but regulatory agencies can’t shut it down or impose fines against it.
Payment processor breaches have picked up steam over the last five years, hitting major data firms like Global Payments last year and Citigroup and Epsilon in 2011. It was argued earlier this year that charges against Heartland Payment Systems – perhaps after TJX Companies, the poster child for large scale data breaches – should be revived, citing a New Jersey economic loss rule that nullifies their claims.
As Krebs also notes, the FIS breach sounds strikingly similar to the RBS WorldPay hack in 2009 where attackers were able to gain internal access to the company’s system, jack up the withdrawal limits on debit cards and send out 44 such cards to “cashers” around the world to use.