Bank of America last week blamed a suspected breach of credit card data on an unidentified third party, which the bank later revealed to be a merchant. The incident illustrates security risks institutions increasingly face, whether because of a merchant breach or relying too heavily on partners and suppliers.
BofA has sent letters to select customers, notifying them of a possible compromise that likely exposed details about their credit card accounts. Though the bank's spokesperson would not reveal how many of accountholders were affected, she did say the institution is taking necessary steps to address known security gaps.
"As part of our routine fraud monitoring, if we believe a customer's card may have been compromised at a third-party location, we will notify the customer and block and reissue the card, which is what happened in this case," says BofA spokeswoman Betty Riess. "Security for our customers is a top priority, and we take proactive steps like this to protect our customers from fraud."
The bank issued customers new cards along with letters informing them of the suspected compromise. "We take these proactive steps to protect our customers and minimize any occurrence of fraud," Riess says. "It doesn't necessarily mean that fraud has actually occurred on the account."
Fred Cate, a law professor at Indiana University who specializes in cybersecurity, says the BofA incident is a reminder that sensitive information must be secured across and within numerous links in the business and payments chain. It's not just the bank that has to ensure data and information is secure; the same precautions and security measures that are implemented in-house must be practiced by the other service providers and intermediaries with which the bank interacts.
"The entire system has to be secure," Cate says. "I think banks are doing better with, and certainly paying more attention to, ensuring that their suppliers and vendors use good security. But it is an impossible task, in the absence of federal legislation that creates a system-wide obligation to treat financial data responsibly."
Reissuing cards is reactive and necessary. But it fails to address the core problem, which is known vulnerabilities in systems that handle financial information.
Third Parties: The Weakest Link
Neal O'Farrell , executive director of The Identity Theft Council, says third-party breaches are growing problems for banking institutions of all sizes. "It's hard enough for an organization to push out and enforce its own security policies on its own employees, let alone making sure its partners and suppliers are all in step, too," he says. "And savvy attackers know where the weak links are."
Pointing to a recent study of payment-card breaches conducted by security firm Trustwave, O'Farrell says 76 percent of card breaches identified in 2011 were linked to security weakness at third parties. "A large organization can have thousands of partners and suppliers, and each of those can have dozens of vulnerabilities worth exploiting," he says. "In many cases, the vulnerability is as simple and dumbfounding as a password like 'password.'"
Banks and businesses have to do better jobs of ensuring security along the perimeter, says Kenneth Schroeder, a business continuity expert at Southeast Corporate Federal Credit Union. "It's like a painter saying that the fact that the paint he chose to paint your house with is inferior, and that's why it looks so bad," he says. "You can pass off authority, but you can't pass off responsibility."
The reluctance of institutions to admit fault when breaches occur, even if a third party is to blame, is the problem. "[They] are trying to paint it with the precautionary brush, while at the same time fulfilling the regulatory notification requirements," he says.