David vs Goliath: Are 16,000 Banks Insecure?

Rich campagna
July 24, 2020 | 6 min read | Cyber Resilience, Security Posture

In April 2019, a tiny credit union in Greenville, Pennsylvania, Bessemer System Federal Credit Union, filed a lawsuit against Fiserv, a 24,000 employee financial services behemoth, for breach of contract. After more than a year of delays, a Federal judge ruled that the court would hear some of Bessemer’s claims in court. This is an open case, and I am neither judge nor jury, but the claims made in this lawsuit and the reach of Fiserv across the global financial system are staggering, and should be a reminder to all organizations, in every industry, of the importance of maintaining a strong security posture.

Even if you’ve never heard of Fiserv, chances are your data is stored in their systems. They are a service provider that basically provides all of the IT and digital infrastructure for over 16,000 small banks globally. They provide everything you might do electronically at a bank. Loan processing. Mobile banking. Internet banking. Fraud protection. Electronic Payments. ATM Services. You get the picture.

Obviously, with such an extensive reach, so many customers, and primary operations in one of the most regulated industries, you would expect a heavy focus on cybersecurity. In fact, a non-scientific search for “security” in the titles of Fiserv employees on LinkedIn yields 3,500 results.

Given the strategic importance of the services that Fiserv provides to Bessemer, why is Bessemer seeking their day in court? In the lawsuit, a few of the many claims are that:

  • Fiserv failed to “properly secure the confidential and highly sensitive information Bessemer and its members have entrusted to FiServ.”
  • In response to security vulnerabilities, Fiserv implemented “purely cosmetic fixes that were readily bypassed and did not address the problem.”
  • “Threatening civil and criminal prosecution if Bessemer discussed Fiserv’s problems with third parties, including other Fiserv clients.”

Ladies and gentlemen of the jury, I present to you, Exhibit A. (Indulge me please – I’ve always wanted to say that and there’s no way I’m spending 3 years reading case history in law school to do it officially).

Bessemer claims 40 cybersecurity weaknesses in the lawsuit, including:

  • Failure to promptly update and patch affected systems against commonly known security vulnerabilities and exposures, including delaying remediation of high severity vulnerabilities
  • Employing products and services past their end-of-life and end-of-service deadlines, leaving them vulnerable
  • Outbound communications to known malware sites
  • Running obsolete SSH protocols that have readily exploitable weaknesses
  • Employing weak, expired, and self-signed certificates and weak encryption ciphers
  • Failure to properly protect internet facing web services against known, exploitable vulnerabilities
  • Failure to enforce HTTPS encryption on websites
  • Failure to keep antivirus systems up-to-date
  • Failure to enforce appropriate identity verification and implement authentication best practices on Bessemer customer logins

The list goes on and on in the 156-page lawsuit.

Whether all, or any, of these allegations are accurate remains to be seen, but they mostly revolve around well-known, commonly accepted security best practices. At the same time, judging from their staffing, Fiserv is clearly an organization that has invested in security.

The challenge, for every enterprise, is that security has become incredibly complex. An organization like this has tens of thousands of assets. And there are hundreds of attack vectors that adversaries can use to find weaknesses in the defense of those assets. The security picture is so staggeringly complicated that no human can possibly wrap their head around maintaining cyber resilience for an organization like this.

Balbix was built to solve these types of challenges. Some of the world’s largest enterprises rely on us to make sense of their attack surface and prioritize what needs to get done across the infosec team to have maximum impact on breach risk reduction. If you think that your organization might have any of the issues above that Bessemer claims against Fiserv, reach out for a discussion. We’d love to see how we can help.

Related Posts

Blog
5 Steps for CISOs to Build Cyber-Resilience
Blog
5 Steps to Measure and Assess Security Posture
Blog
6 Challenges New CISOs Face in Assessing Breach Risk