Customers of the municipal bond insurance company MBIA had their information exposed due to a server misconfiguration issue.
After being notified about the breach, the company disabled the vulnerable site, mbiaweb.com. The site contained customer data from Cutwater Asset Management, a fixed-income unit of MBIA set to be purchased by BNY Mellon Corp.
Cutwater Asset Management is an investment adviser specializing in fixed income investments. It has $23 billion of assets under management and ranks among the world's largest fixed-income asset managers. Clients include state and local governments and pension funds.
According to Krebs on Security, most of the information had been indexed by search engines, including a page with administrative credentials that attackers could have used to get their hands on data that wasn't available by searching the web.
"We have been notified that certain information related to clients of MBIA's asset management subsidiary, Cutwater Asset Management, may have been illegally accessed," MBIA spokesman Kevin Brown tells Dark Reading. "We are conducting a thorough investigation and will take all measures necessary to protect our customers' data, secure our systems, and preserve evidence for law enforcement."
Brown also confirmed that the affected server had been taken offline, and that the company is continuing to investigate.
Bryan Seely, CEO of Seely Security, discovered the situation, using a search engine. He told Krebs on Security that he believes the data was exposed due to a poorly configured Oracle Reports database server. This type of database server is normally set to provide information only to authorized users accessing the data from within a private network.
"This is the same class of problem as connecting a test server with a default password to the Internet, like happened at HealthCare.gov," says Eric Cowperthwaite, vice president of advanced security and strategy at Core Security. "IT organizations should have quality and change management controls in place that prevent this in the first place. And even if that should fail, their information security teams should be performing testing of systems and continuous monitoring, because a set of check boxes on a change management form does not mean that all is well, as this data leak makes clear."
"Whether a cybercriminal needs to probe to find these flaws, or can stumble upon sensitive data indexed by a search engine, they will abuse these oversights," says Amy Blackshaw, manager for RSA fraud and risk intelligence at EMC. "Now, we can all shake our heads and think that these types of mistakes shouldn't occur -- and perhaps that is correct -- but it points to a fact that we need to change the way we are monitoring and detecting abuse on websites."
If organizations rely only on having 100% correct configuration and business logic, this type of incident will continue to occur, she says. Instead, the industry needs to start assessing the behavior of all activity occurring on a website to look for anything out of the ordinary, not just for known bad.
"If organizations had visibility into each and every click across each and every session, with analytics that quickly flagged anomalies, these types of business logic abuse could be stopped before they started," says Blackshaw.
"We need to accept that it's impossible to build prevention mechanisms that are immune to human error," says Tal Klein, vice president of strategy for Adallom. "What happened at MBIA was a misconfiguration. What happened at [JPMorgan Chase] was a mistaken click on the wrong link. What happened at Target was an ignored alert. The biggest fallacy that exists in cyber security remains our belief that we can somehow prevent the next breach with more people or better technology. It's time to accept that breaches are a fact of life and invest in a strategy that 'assumes breach' and treats data like money."