On Monday MBIA Inc., a public holding company out of Purchase, NY, had a breach in security that made client account information, balances, and other sensitive customer data to the public. MBIA Inc. is the largest bond insurer in the country, offering municipal bond insurance along with investment management. The exposed information was indexed by SEOs, which included administrative credentials that could be accessed through a basic Web search. The breach was due to a misconfiguration in the company’s Web server, and although they immediately took down the site once aware of the exposure, customer data from Cutwater Asset Management (soon to be acquired by BNY Mellon Corp.) had already been illegally accessed. MBIA spokesman Kevin Brown assures that they are conducting a detailed investigation and that all necessary measures are being taken to protect their client’s information, tighten security systems, process evidence for legal measures.
Despite these assurances and the company’s quick reaction time, Google indexed over 230 pages of account and routing numbers, balances, dividends, and account holder names. According to Bryan Seely, independent security expert with Seel Security, claims that the data was released as a result of a weakly configured Oracle Reports database server. Seely explains that the diagnostics page included usernames and passwords, giving access to almost all of the client account data existing on the server.
The unintentional exposure of client information from MBIA is likely the work of foreign hackers, potentially related to the same group that hacked into the networks of JPMorgan Chase last week. These breaches are just another prime example of the need for more stringent Cyber Security measures.