Plugging the Leak
In 2019, 1,220,000 people had personal data was stolen from the Capital One server in the United States. The perpetrator of the breach, a Ms.Paige Thompson, had previously worked with Amazon Web Services, a cloud hosting company used by Capital One. While it is unclear what Ms.Thompson's motive was, it does not seem to be financially driven. Meaning, Ms.Thompson did not intend to use the information she stole to enrich herself or to monetize the stolen credit card information. Rather, her intention was to share the data amongst other fraudsters who could use it for whatever purpose they wanted. Whilst investigators were unable to verify if the data had actually been disseminated, Ms.Thompson’s did post online that she was going to leak the data. Furthermore, Capital One received feedback via an anonymous tip that there was a leak of their data on the deep web. While Ms.Thompson has since been arrested and found with evidence that proves she was responsible for stealing data, there is little to no evidence about exactly how much data was stolen and what she did with the stolen data.
This entire episode raised questions about how data can be traced and more importantly, what a company can do to protect themselves and their customers once data has been leaked. With the banking industry as a whole moving towards being paperless and aiming to be more “remote-friendly”, this has caused a whole new slate of issues. Beyond the regular concerns of an individual’s card information being stolen and monetized, financial institutions should also be wary of this data being used in the creation of synthetic identities as we previously covered. This means a fraudster could use one victim’s personal information to : charge thousands of dollars to the victim’s credit card, empty out the victim’s bank account and apply for a loan or additional credit cards(s) and rack up thousands of dollars more there. The severity of the damage that a fraudster can cause has grown exponentially and as such, the way companies react to data leaks is more important than ever. Apart from finding the vulnerability that lead to the data leak and taking corrective actions, a financial institution must manage the leak with its customers in the best way possible or risk severe repercussions.
So, what can or rather, what should a company do?
Communication is Key
First and foremost, a company should get ahead of the story. This will allow the company to control the narrative. Furthermore, since the company is sharing the information and owning up to it, it could save some of the company's integrity in the minds of their customers.
The issue here is, should the company take a blanket approach and inform all customers of a data breach or just the people whose data has been compromised? In 2011, Sony’s PlayStation Network suffered a data breach that included some credit card information and other, personal identifiable information. Sony took the blanket approach and sent an email out to all PlayStation Network customers as well as to all other customers who had provided Sony with their email addresses in the past. Whilst Sony never explained why they decided on this course of action, it is assumed that Sony was unable to determine the scale of the data leak and as such, felt it was prudent to email all existing customers. This led to Sony projecting a loss of $3.2 Billion as sales of TVs and other Sony gadgets fell. If this was a financial institution, the additional staffing costs to deal with customer complaints, regulatory fines, the costs of issuing new cards to all those who were affected or requested one would need to be added to the cost of the data breach.
A more targeted approach to informing customers is what is more common nowadays. This could prevent mass-panic but at the same time, customers who have not been identified as being a victim of the data leak might remain uninformed.
Force Corrective Actions
The golden rule of the payments industry is “Convenience, convenience, convenience”. This thinking has led to the proliferation of contactless payments, QR payments, NFC payments etc. Yet, this rule has to be ignored when dealing with a data leak. Once a financial institution has communicated the data leak to its customers, the next step would be to try to minimize the impact of the leak.
If the financial institution has a complete list of people who were impacted by the data leak, this is a very easy prospect. The first step is for the financial institution to cancel all compromised credit or debit cards, reissue replacements and send them out to the affected customers. Next, the financial institution should place a flag on each account held by any person or company that was a victim of the data leak. This flag should serve as a warning to all employees and any automated systems to be extra vigilant when dealing with these account holders. As a result of this, certain conveniences would be removed from the user experience. For example, if a victim wanted to apply for a new credit card, they might need to complete the application in person, at a branch. Similarly, if a victim wanted to apply for a checking account or for a new cheque book, they would need to complete the request, in person, at a branch. With these actions, the financial institution can keep the customer safe by introducing inconveniences that will act as a deterrent to fraudsters.
Additional corrective actions might include having to resubmit proof of identity and/or proof of address documentation, going through the facial recognition process again, having QR payments and contactless payments temporarily disabled or even having all accounts Frozen until additional identity verification could be completed.
These are ideal actions for a financial institution to take. However, it Is unlikely that a financial institution will want to inconvenience a victim of a data leak to this degree lest the customer decides to move to a competitor. So chances are, the financial institution will automatically log the customer out of all existing devices, force a password change coupled with biometric confirmation from the user’s phone.
Now if the financial institution does not have a complete list of people who were impacted, the inconvenience as a deterrent method will not work. Instead, the financial institution will need to utilize a more advanced technique of behavioural analysis to determine which transactions/actions might be attempted by fraudsters. These systems will need to be purpose-built and constantly tweaked and adjusted meaning that a financial institution might opt against it simply because of the enormous cost involved.
The final step in how a financial institution can or should manage a data leak from a customer standpoint is to future proof their systems. This does not need to be excessively complicated and a few organizations have account security features that can be considered best in class. For example, Microsoft’s email service has an opt-in, password expiry policy that makes users change passwords every 90 days. Similarly, PayPal and a host of other companies regularly make use of 2-factor authentication when logging into their system. This clamps down on unauthorized use but also renders accounts set up with temporary phone numbers useless. Another example is WhatsApp that requires users to enter their PIN every two weeks to ensure the account has not been compromised.
The ideal solution here is a biometric-based challenge that is randomly triggered. This would use the phone’s camera or fingerprint scanner to verify a user’s identity at random intervals. The unpredictability of when the challenge might be triggered, coupled with the static nature of the biometric checks makes this a difficult challenge for the fraudster to overcome.
What else do you think a financial institution should do when they have a data breach? Or if you have suffered one, contact us now for a free, no-obligation consultation.