Abstract
On February 9, 2024, Jeremiah Fowler a Cybersecurity Researcher discovered and reported to WebsitePlanet about a non-password-protected database. U.S. Credit Union is a trusted fintech provider with a network of financing institutions that are capitalizing on the convergence of technology. This database was stored on the cloud, which resembles the working of a Customer Relation Management system, reportedly linked to CU Solutions Group, a Michigan-based credit union service provider. The database was not protected by password, there were no authentication/authorization policies, and it was publicly exposed which means it was accessible to the whole internet. This data leak had over 3 million records (3,125,660 in total), including a collection of sensitive information. This included over 1 million email conversations, internal notes, clients’ full names, physical addresses, details about thousands of credit unions across the United States, email addresses, and plaintext passwords. The credit union blames 3rd party providers for the misconfiguration of the cloud database, it is unclear who to hold responsible.
Incident
Financial services contain highly sensitive and Personally Identifiable Information (PII) regarding individuals’ records. Confidentiality is giving data access to only authorized users and preventing access from bad actors. Such unauthorized access to an individual’s information is a violation of confidentiality and that information can be altered or modified by the hacker which breaches the integrity of Information Security’s CIA triad. This attack was performed using a method named “credential stuffing” where hackers use bots to try credential combinations used in previously known data breaches. This data leak also violated patients’ privacy which is an assurance given by healthcare firms to protect their consumers’ sensitive data.
Recommendations
The U.S. Credit Union configured the database securely setting up authentication. They can also apply the following measures to keep it secure, Implement Strong Authentication and Access Control, instead of keeping the passwords in plain text they could have hashed/ encrypted them so that even if they got leaked it wouldn’t be a security concern, Implement Backups and Disaster Recovery, and perform regular vulnerability assessments to check for any weaknesses.
References
https://www.hackread.com/us-credit-union-service-plain-text-passwords-data-leak/
https://www.websiteplanet.com/news/credit-unions-breach-report/