Information security researcher and blogger Brian Krebs wrote a post this week regarding the 2011 data breach at Fidelity National Information Systems that resulted in a $13 million ATM cash-out fraud.
The FDIC is saying the breach was more impactful to FIS’s systems than the company originally disclosed. A report completed in October and released by the FDIC to banks on May 24 reads:
“The initial findings have identified many additional servers exposed by the attackers; and many more instances of the malware exploits utilized in the network intrusions of 2011, which were never properly identified or assessed. As a result, FIS management now recognizes that the security breach events of 2011 were not just a pre-paid card fraud event, as originally maintained, but rather are that of a broader network intrusion.”
Krebs characterizes the FDIC report as describing an intrusion by hackers that left no stone unturned in the FIS network:
“From review of the previous investigation reports, along with other documentation provided by FIS, examiners and payment card industry experts identified over 2,000 touch points that indicated a broad exposure of internal FIS systems and client related data,” the report notes. “These systems include, but are not limited to, the New York Currency Exchange (NYCE) ATM network, prime core application systems, and various Internet banking, ACH, and wire transfer systems. These touch points also indicated approximately 100 client financial institutions, which appear to have had sensitive data exposed by the attackers. The investigation confirmed that data exposed and ex-filtrated during the network intrusion included some information of a high risk nature. This information includes numerous documents that would provide valuable intelligence to an attacker and some that could pose an avenue for future attacks.”
Could this “information of a high risk nature” be part of the basis for the unlimited operations carried out at EnStage and ElectraCard that resulted in ATM cash-outs that totaled $45 million? There is currently no way to discern if that is the case, but the question of whether or not the criminals who pulled off these various heists (and the one in 2008 that targeted RBS WorldPay) are somehow associated:
In an emailed statement, FIS maintained that “no client of FIS suffered any monetary loss as a result of the incident, and stressed that the report is based upon a review that was completed in October 2012.
“Since that time, FIS has continued to strengthen its information security and risk position, including investments over two years of $100 million or more, as part of our goal to provide best-in-class information security and risk management to each of our 14,000-plus clients. We have openly and regularly communicated these initiatives, our progress and results to our clients and shareholders through meetings, monthly updates, quarterly public disclosures, Board materials, educational webinars, and more.”
Click here to read more from Krebs.