Bank refuses to pay 30K demanded by hackers

Mon, Sep 21st 2015, 12:51 PM

Fidelity has not paid the $30,000 ransom demand from hackers who broke into the bank’s websites last week, and has given no indication that it intends to do so. The bank says the hacked sites “hold minimal client information” and that the risk of exposure is “very minor”.

Meanwhile, Guardian Business can confirm that Data Protection Commissioner Sharmie Farrington-Austin has initiated an investigation into the hack of the Fidelity Group of Companies websites by an organization purportedly seeking to help elect Donald Trump President of the United States.

Requests for comment from the Trump campaign were unanswered by press time.

In a press statement, Fidelity outlined its response to the invasion.

The hack
Fidelity over the weekend advised its customers that its company website has been temporarily taken off-line due to a hacking threat from an organization calling itself “Hack For Trump”.

“This entity is seeking a payment of $30,000 for its cooperation in not making the information it holds public and states, ‘If Fidelity does pay us, we plan on using those funds to help Donald Trump get elected to the White House, as he is the only candidate who can restore America to its former glory’,” the statement said.

Fidelity explained that the websites in question are hosted by a third party vendor and only used for marketing and general customer inquiries. The bank asserted that it had analyzed the websites that were reportedly hacked and they hold minimal client information.

“While the bank understands that there is the potential that a very small number of customers may have emailed the bank via the website, as mentioned above, given that the server accessed was the Bank’s vendor’s server the potential exposure is very minor,” the bank stated.

Meanwhile, Farrington-Austin told Guardian Business that the Office of the Data Protection Commissioner has been notified of the said data breach.

Investigation
The data commissioner said her office would begin an investigation in accordance with section 15 of the Data Protection (Privacy of Personal Information) Act.

“Our first priority and approach is to work with the relevant data controller to ensure that the breach is contained. Organizations (data controllers) that use third party data processors to process personal information on their behalf must take particular care, because under the Data Protection (Privacy of Personal Information) Act, ultimately the data controllers, not the data processors, will be held accountable under the Act for what the data processor does with the personal information,” she noted.

Fidelity has already conducted its own initial investigations, and has reached the following initial conclusions: only the webserver at the bank’s vendor’s location was compromised; none of Fidelity's secure servers which host client and banking information were impacted, and no customer logins or other security details were affected.

“Fidelity has not acceded to the blackmail demand and we have, over the past week, taken all reasonable steps to ensure that client data has not been compromised. We will continue to monitor our own servers and will continue to ensure that appropriate Internet security measures are in place. In the meantime, we urge our customers to be extra vigilant and to call our customer service department in case of doubt.

“Given that Fidelity has been the victim of criminal offenses we will of course be reporting the matter to law enforcement,” the bank said.

Cautionary tale
Farrington-Austin pointed out four important elements for the data controller's (organization's) breach-management plan, which she noted had been adopted from the United Kingdom.

The first element is containment and recovery: the response to the incident should include a recovery plan and, where necessary, procedures for damage limitation.

Next, assessing the risks: the data controller should assess any risks associated with the breach, as these are likely to affect what is done once the breach has been contained.

“In particular, you should assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to happen,” she said.

Then, notification of breaches: informing people about an information security breach can be an important part of managing an incident, but it is not an end in itself.

“You should be clear about who needs to be notified and why. You should consider notifying the individuals concerned, the Data Protection Commissioner's Office; other regulatory bodies; other third parties such as the police, banks; or the media,” Farrington-Austin said.

Finally, evaluation and response: it is important that a data controller investigate the causes of the breach and also evaluate the effectiveness of the response to it.

“If necessary, you should then update your policies and procedures accordingly,” she said.

Finally section 6(d) of the Data Protection (Privacy of Personal Information) Act, 2003, states: "appropriate security measures shall be taken against unauthorized access to, or alteration disclosure or destruction of, the data and against their accidental loss or destruction."

“We encourage data controllers to act responsibly at all times and data subjects who have had their personal information compromised by such data breaches can make a complaint to our office," the commissioner said.

Click here to read more at The Nassau Guardian

 Sponsored Ads