US community bank says thieves drained customer data through third party hole Community bank MainStreet Bancshares says thieves stole data belonging to some of its customers during an attack on a third-party provider. Showing how vendors along the supply chain are often the weak link, the holding company that primarily oversees MainStreet Bank told America's Securities and Exchange Commission (SEC) …
The argument is always "It'll cost us more, and force us to pass it along to our customers.", and it's likely not going to change, because greed demands to look for a cheaper option. Also, there's always a 3rd party "desperate" enough to want the business, with promises of much lower costs, and worked by people who truly don't give a damn because "It's not my money being affected.".
"immediately activated its incident response process to investigate ... and initially concluded that the incident's impact would likely not be material"
Was that an initial but erroneous conclusion before they discovered customer data was leaked or did it mean these was no material impact impact on the bank as opposed to the customers?
"these filings fail to provide investors with meaningful, or actionable information to inform their investment decisions,"
If I, as a customer, deposit money with a bank I consider that I've invested it just as much as if I'd spent it on buying the bank's shares. As such I'd expect a prompt disclosure of a security problem to be both meaningful and actionable. But I don't suppose the banks complaining like this care about customers.
Likewise: "while not losing sight of the SEC's investor protection mandate." I'd hope that where the business is a bank the SEC's mandate covers customers' funds as well as those of shareholders.
I think I am beginning to see a pattern with these breaches - it always seems to be blamed on a third party service provider.
More of what seems to be a common attitude nowadays - "wasn't me mate, it was some other lads".
Perhaps these companies/organisations should stop and ask themselves why they are trusting a third party (over whom they have no control) to handle sensitive or private data that other people have entrusted their company/organisation to hold.
As Pascal has said; security of the data they hold is <their> business; blaming others is just a cop-out. The loss of data is as much the originating organisation's fault as it is the fault of the third party.
If my personal data that I handed to company X is breached, it is the responsibility of company X. If it happened at my credit union I'd be looking to take my business elsewhere regardless of whether it was a third party that they'd "swiftly ceased all activity with". Too late.
If anyone should have higher standards for security it should be a bank. I'm not going to blame too hard if a restaurant chain or clothing store takes a hit and personal information is stolen, but a bank is a different animal.
It's like going through the bins of tens of thousands of people. Most of this data is of no realisable value. We have developed herd immunity to most scams. If we really didn't care any more about this, the ROI of stealing data would collapse. There wouldn't be any point in doing it any more. Malware is the scam du jour because it costs proper money to replace your kit, put your system back together and pay fines. The actual data loss is becoming incidental. And encrypted data is just junk. Some individuals will be targeted because they are rich or government or military, the latter by spooks. But general data theft is close to being a waste of time and effort nowadays. It's just an additional income stream for the state in fines on companies that get busted for losing data.
Hacking government e-mails might actually be socially beneficial, introducing some welcome transparency into politics. If only someone had hacked Boris's messages before he 'lost' them, they could have sent them to the relevant inquiries. But that never seems to happen.
Perhaps that will be the only revenue stream open to hackers in future. Hack stuff, store it securely, and when a company loses it or someone drives over their phone, offer to sell your copy of their data back to them. HaaS: Hacking as a service.
It's not just scams. If you can get ahold of someone's identification number (SSN in US) and birthdate, you can open accounts in their name - like credit card accounts that you then use to pay yourself. Name and address are used to threaten the individual with swatting. There's plenty of ways the data can be used against people.
So banks are trying to argue they shouldn't have to disclose breaches because it's too much trouble, makes them look bad, and opens them up to extortion from the hackers. Want to solve those? Try improving your security.
Best way to handle people's data - treat it like toxic waste. Keep only what you absolutely must have, keep it very secure, and consider any leak of it to be a disaster.
This has been bugging me for a while now, so here's as good a place as any.
Here in the north of England, 'Trump' in colloquial use means 'Fart'.
The word has always made me a little uncomfortable, but this year that discomfort has grown substantially because the current president of the USA is so obviously deranged.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
