BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

SCNB hit by breach – over 8,000 clear text credentials stolen

From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Sat, 16 Jan 2010 18:24:42 -0500
http://www.thetechherald.com/article.php/201002/5090/SCNB-hit-by-breach-–-over-8-000-clear-text-credentials-stolen

'Twas the night before Christmas, when Suffolk Bancorp said an
internal audit by Suffolk County National Bank (SCNB) discovered that
over 8,000 customer online banking credentials were snatched from a
server where they resided in plain text.

Suffolk Bancorp said that the 8,378 records accounted for less than
ten percent of their customer base at SCNB, but failed to explain the
reasoning for leaving such information on a server in the clear.

After the attack was discovered, the servers used by SCNB were rebuilt
and various other security measures were put in place. In addition,
all SCNB customers should have a letter from Suffolk Bancorp
explaining the incident, a statement said, as they went out

According to Amichai Shulman, Imperva’s CTO, what is amazing about the
case is not just the fact that the bank has taken until earlier this
week to reveal that around 10 percent of its customers' credentials
were compromised, but that the data was stored as plain text.

“What I find astonishing about this hack is that you would think that
a banking application would undergo much more stress testing than most
and, as a result, the storage of user credentials in plain text would
have been spotted and remediated early on in the system development
process,” Shulman said.
“Although the full modus operandi for this banking hack has yet to be
revealed, but given that the server was accessed and 8,378 credentials
were stolen, I would assume the attacker gained access using an SQL
injection approach,” he added.

Neither SCNB, nor their parent Suffolk Bancorp, would discuss the
technical aspects of the breach, which occurred over a six-day period
from November 18-23. They said in a statement that they have detected
no unauthorized use of the stolen credentials since the attack.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
Previous By Date Next
Previous By Thread Next

Current thread: