Right as National Cybersecurity Awareness Month began, the American Bankers Association announced it had been hit by a malicious intrusion that targeted member online purchases and event transactions.
Data breaches can happen to anyone — even the organizations that lobby Congress for stronger cybersecurity legislation.
On October 1 — which happened to coincide with the first day of National Cybersecurity Awareness Month — the American Bankers Association announced that “at least 6,400 records composed of ABA Shopping Cart usernames and passwords were posted online.” The breach, while smaller than other recent attacks, is significant because of the association’s close ties with the financial industry. Are the hackers simply looking for credit card numbers, or is this part of a larger strategy to learn more about the banks and their employees?
— American Banker (@AmerBanker) October 2, 2015
That question has the staff at American Banker talking:
- Some experts said the hacking of a trade association website, where users enter personal details to sign up for events or order publications, should raise alarms about perpetrators potentially wanting access to credentials an employee might use at a member institution.
- “It helps whoever has that data potentially to learn more about the bank that that individual is tied to,” Mercedes Tunstall, a partner at Pillsbury Winthrop Shaw Pittman LLP, said.
An FAQ from ABA says they “have seen no evidence that the hacker has also accessed credit card or other personal financial information.” That bodes well for the outcome of this breach, and ABA says it is already working with a security firm to identify the source of the attack.
Cybersecurity Awareness Month Just Got Real
While ABA would surely rather run a cybersecurity drill than deal with a real breach, there are some important lessons to be learned from the experience.
- Encourage members to use a unique password to access your site. If, for example, members use the same password to access your site, their email, and their bank, a hacker just needs one password to access all three. Password managers like 1Password and LastPass make it easy to generate and manage unique passwords for every login.
- Consider two-factor authentication for your membership site. Adding a second form of authentication in the form of a PIN or fingerprint is one of the easiest ways to improve security. Without two-factor authentication, hackers can “daisy chain” accounts to gain access to the ones they’re interested in.
- Ask members to run credit reports three times per year. Each of the three major credit reporting agencies — TransUnion, Equifax and Experian — offer one free credit report per year. Ask your members to take advantage of one every four months to be aware of any security issues.
The biggest takeaway from the ABA breach? Every organization needs to act like a security organization these days. It’s your responsibility to keep your members educated and secure.