A flaw in the web platform of Fiserv Inc., a technology services provider for financial institutions, exposed personal and financial account information on hundreds of bank websites, according to KrebsonSecurity.
Security researcher Kristian Erik Hermansen contacted Krebs two weeks ago to report that “he’d discovered something curious while logged in to an account at a tiny local bank that uses Fiserv’s platform.” Shortly thereafter, KrebsonSecurity contacted Fiserv, which explained that there had been an issue in “a messaging solution available to a subset of online banking clients.”
While Fiserv declined to say exactly how many financial institutions may have been impacted overall, there are reportedly 1,700 banks currently using Fiserv’s banking platform.
“Fiserv places a high priority on security, and we have responded accordingly,” a Fiserv spokesperson told Krebs.
“After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”
Fiserv is a critical financial services vendors for banks around the globe. “A breach or data leak such as this could have a huge impact on not only the financial system in the US but globally as well,” said Jake Olcott, VP of strategic partnerships at BitSight Technologies.
“Hundreds of banks that leverage its solutions were impacted by this breach, demonstrating firsthand the imperative need for financial services companies to keep a close eye on the third-party vendors that have access to their data and customer information," Olcott continued.
“At a higher level, financial services companies need to make sure they are having continuous, data-driven conversations with their vendors about security efforts and procedures. Fostering a more collaborative approach to security can unite businesses and their vendors in the war against an increasingly volatile threat landscape and help safeguard all parties from leaks and breaches."