TCM Bank has revealed that a website misconfiguration exposed critical information of thousands of people who applied for credit cards between early March and mid-July of this year. TCM helps more than 750 small and community U.S. banks issue credit cards to their account holders, is blaming the breach on a third party that manages their website. IT security experts commented below.
Matan Or-El, CEO & Co-founder at Panorays:
“When partnering with third parties, organizations cannot relieve themselves from the responsibility of security. In the eyes of the affected consumer- they provided the data to the organization and they hold that organization responsible. Policy makers have also taken that stance and various regulations today (for instance, GDPR and NY DFS) to hold organizations responsible for the security of their third parties. The issue is that organizations typically lack visibility and control over their third parties. However, there are solutions today that provide organizations with that necessary visibility. During the vetting process, companies can scan and monitor the third party to receive an ongoing view of the third party’s security posture. More advanced solutions even provide easy collaboration and engagement tools between the organization and the third party to ensure that the third party raises their security posture. It is a process that benefits and protects both the company and the third party.”
Lee Munson, Security Researcher at Comparitech.com:
“The data breach at TCM Bank is a potentially dangerous one for all those affected by it. The leaking of credit application data is almost as bad as it gets in terms of information that can be used for identity theft and other types of fraud.
Whether or not any blame should be applied to third parties, severe damage has already been done and I hope to see TCM respond in a transparent way that goes beyond simply emailing affected customers.
Anyone who thinks their data may have been compromised should review bank and credit card statements on a regular basis and check their credit reports urgently.”
John Steven, Senior Director of Security Technology and Applied Research at Synopsys:
“Due to the nature of modern software, application security considerations must extend beyond the code that organisations develop in-house. Risk needs to be managed across the software supply chain, which likely includes a combination of custom code, outsourced development, open source libraries and frameworks, third-party service providers, and cloud-based infrastructure. We’re seeing an uptick in attacks and breaches that trace back to affected firms’ failure to understand this interconnectedness and the false assumption that the burden of responsibility lies elsewhere.”