USA’s largest bond insurer MBIA Inc suffers a huge data breach due to server misconfiguration
MBIA Inc suffers huge data breach
America’s largest Bond insurer MBIA Inc. on Tuesday reported that a server holding customer information for an asset-management subsidiary that it agreed this week to sell “may have been illegally accessed.” The report further states that MBIA Inc alerted current customers of the unit, called Cutwater Asset Management, of the potential breach Monday night and was in the process of notifying former clients Tuesday.
MBIA, Inc. is a financial services company and USA’s largest bond insurer. It was founded in 1973 as the Municipal Bond Insurance Association. It is headquartered in Armonk, New York, and has approximately 400 employees.
As of now the MBIA Inc management or the security team does not have any idea of how many customers data may have been leaked/stolen due to the above exfiltration attempt. They are also not sure as to how long the server breach existed. The company stated that it had learned of the problem from an outside computer expert Monday. So far, the spokesman said, there was no evidence of suspicious or improper transactions in customer accounts.
“We have been notified that certain information related to clients of MBIA’s asset management subsidiary, Cutwater Asset Management, may have been illegally accessed,” said MBIA spokesman Kevin Brown. “We are conducting a thorough investigation and will take all measures necessary to protect our customers’ data, secure our systems, and preserve evidence for law enforcement.”
Turn and Twist
The outside computer expert happens to be Brian Krebs of KrebsOnSecurity. In a separate blogpost, Brian stated that the entire data breach was due to a server side misconfiguration discovered by a security analyst, Bryan Seely of Seely Security.
On Monday, KrebsOnSecurity notified MBIA Inc. — the nation’s largest bond insurer — that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines, including a page listing administrative credentials that attackers could use to access data that wasn’t already accessible via a simple Web search.
Brian stated that when notified about the breach, MBIA Inc. quickly disabled the vulnerable site — mbiaweb.com. mbiaweb contain customer information of its sister concern Cutwater Asset Management. Incidentally Cutwater Asset Management is being acquired by BNY Mellon Corp.
Bryan Seely of Seely Security discovered the exposed data using Google search engine. Seely said the data was exposed thanks to a poorly configured Oracle Reports database server. Seely said that this type of database server is configured to serve information only to authorized personnel who have valid login credentials and are accessing the data from within a trusted, private network. However the misconfiguration meant that the data was wide open for everyone and Google indexed the data as a part of its search activities.
Worse yet, Seely noted, that misconfiguration also exposed an Oracle reports diagnostics page that included the username and password that would grant access to nearly all of the customer account data on the server.
“Malicious hackers finding dozens of universities or companies with Social Security numbers, health data or other information is devastating, but stumbling on bank accounts and the instructions for how to empty them is potentially catastrophic,” Seely said. “Billions in taxpayer funds, invested into one of the largest institutions in the world that were essentially being guarded by a sleeping security guard. What happens to those states when the money disappears?”
However the question remains that how can the customers affected by this data breach be made to understand the utter idiocracy on part of MBIA Inc management/security team has somehow made their confidential information available everywhere to everyone via Google.