Vasyl Soloshchuk
25 June 2019

Top 3 FinTech Security Breaches Alongside Redtail

The FinTech market has extremely high requirements in regard to increased innovation and enhanced features. Thus, FinTechs can lose focus on security and endanger their clients’ data. Could Redtail, Fiserv, Voya, and BlackRock have prevented their data issues? What should these companies do to restore their security levels and forestall a relapse? In this article, we’ve gathered information about the biggest data breaches in 2019 and use them to analyze their experience to better inform the others. Check out which tips are already the case!

Notice that this post contains an analysis based strictly on the news sources and official statements. You can look through the pages where this or that statement was originally posted. We believe that each of the companies had their own reasons for doing what they did, especially giving the dynamic pace of the market growth. We’ve endeavored to conduct our analysis in the most unbiased way possible.

Company name: Redtail

Redtail is a provider of web-based Client Relationship Management (CRM), compliant text messaging solutions, paperless office, and email archiving solutions in the financial services industry.

What happened?

According to InvestmentNews, Redtail blamed their leak on systems that inadvertently stored investors’ personal information on a debug log file, which was publicly accessible to anyone with an internet connection, which publicly exposed investor names, physical addresses, dates of birth, and Social Security numbers. Further details about this incident were never reported.

Why does it matter?

Personal data leakages are always a delayed-start problem. The exposed data then can be found in the black market, where they can be enriched by other publicly stored information of these users. The more personal information the fraudsters have, the more ways to steal users identity they can find. Once their data are exposed, users can be attacked in the future when fraudsters fit together all the jigsaw puzzle pieces they need.

Additionally, the Redtail CRM may have broken state cybersecurity regulations with their response to leaked investor personal identifying information, InvestmentNews says. The FinTech firm waited more than two months after first detecting an internal error, despite the fact they discovered and repaired the breach on March 4. According to the Redtail rep statements, they had to build specific applications to determine which clients’ data were exposed.

Were there any ways to mitigate the issue?

Log files should not contain any private client data. Even if debugging turned-on in production, no sensitive personally identifiable information should be in a log file, and the file itself should be encrypted and stored privately.

Along with the technical issues, there might be a flaw in the processes that allow for storing private work information in public. Having clear documentation of processes on a project can help Redtail employees avoid mistreating data.

Company name: Fiserv

Fiserv is a Fortune 500 company with $5.8 billion in earnings last year. Their account and transaction processing systems power the websites for hundreds of financial institutions.

What happened?

In late April 2019, Fiserv was sued by Bessemer System Federal Credit Union. The reason was that the Fiserv platform would let anyone reset the online banking password for a customer just by knowing their account number and the last four digits of their Social Security number.

Earlier, KrebsOn Security reported that Fiserv had a pervasive security and privacy hole in their online banking platform. The authentication weakness allowed bank customers to view account data for other customers, including account number, balance, phone numbers, and email addresses. In response to the inquiries, Fiserv fixed the hole.

Why does it matter?

The weak authentication procedure exposed clients’ banking accounts to fraudsters. An online-banking account number and the last four digits of a Social Security number aren’t a kind of private information, as it can be accessed by a broad range of people and institutions. Within Fiserv, any person who knew the account number and the Social Security number of its owner could reset the password and embezzle the funds via online banking.

Were there any ways to mitigate the issue?

The banking system authentication operates the way it was designed, and the people who design such systems must understand security. Similarly, bank customers could view account data for other customers because of the projecting issues. Thorough planning, business analysis, and documentation of processes can help to reduce exposure. Additionally, it’s worth it to implement two-factor authentication to provide the best security for customers’ data and funds.

Company name: BlackRock

BlackRock is the world’s largest asset manager, guiding individuals, financial professionals, and institutions in building better financial futures.

What happened?

In January 2019, Bloomberg reported that BlackRock Inc., exposed names, email addresses, and other information of about 20,000 advisors by inadvertently posting a small number of sales-related documents in a public access area. The leak affected advisors who do business with BlackRock’s iShares exchange-traded funds unit. Despite all this, the scope of information subjected to exposure has not been disclosed; however, BlackRock has assured their clients that the sales related documents did not relate to any other client businesses and did not contain information about advisors’ end client data.

Why does it matter?

We still don’t know what information leaked exactly, and we cannot be sure about what the consequences advisors and their clients may face. For BlackRock, it means reputation damage. The spreadsheets they posted designated some of their clients as “club level,” whereas others were categorized as “chairman’s club.” Exposing such internal information is a serious blow to BlackRock’s reputation, by itself.

Were there any ways to leapfrog the issue?

BlackRock’s problem was purely human in nature. There was no security breach, and no compromise of BlackRock systems. By applying automation, process documentation, and efficient communication practices, every company can minimize human error risks to avoid such problems.

Company name: Voya

Voya is a retirement insurance and annuity company; together with their subsidiaries, they operate as a stock life insurance company in the United States.

What happened?

Voya Financial Advisors paid $1 million to settle Securities and Exchange Commission charges regarding a data security breach that compromised the personal information of thousands of customers in September 2018. In the current year, InvestmentNews says, a computer glitch risked exposing the Social Security numbers of their 1,800 registered reps and financial advisors. Soon after, a list on the Voya Financial Advisors premier advisors website was made accessible to the public. Similar to BlackRock, users there were split into three categories: “premier partners,” “president’s club,” and “chairman’s circle.”

Why does it matter?

Unfortunately, the recurrent security issues witnessed indicate a weak security culture inside the company. Voya clients will continue to be exposed to the risk that more of their personal sensitive data will be disclosed, and the company will take huge reputational damage, which will negatively affect their growth and partnerships.

Were there any ways to mitigate the issue?

The security culture should have been bolstered companywide. By having a clear and documented system, taking systematic measures on ensuring security, and training staff, Voya could have prevented these issues.

What should a company do if a data breach has occurred?

If a company finds that its sensitive user data were inadvertently exposed, these steps should be taken to fix the issue:

  1. Delete the exposed information and restrict the access to the storage(s) that contained the subjected files. Make sure the rest of your data are safe and sound.
  2. Conduct an exhausting audit of the system, ideally by inviting external professionals or an auditor firm.
  3. Arrange the list of all the weaknesses, prioritize them, and fix them one by one.
  4. Conduct one more audit to ensure the system has no weaknesses.
  5. Spotlight every step your company will take to reimburse security breaches in social media and press releases, thus clearing the skirts of reputation.

Meanwhile, the companies discussed in this post have found ways to restore the security and trust of their users. For example, InvestmentNews reported that Redtail Technology is emailing affected investors and offering free access to LifeLock Defender Preferred, a credit and identity theft monitoring and remediation product from Symantec.

The bigger problem underneath

The bigger concern highlighted by these security breaches is the human component. These cases clearly show that cybersecurity standards are being challenged today. The FinTech market is constantly demanding new features from unicorns, so they’ve not devoted enough resources for time-consuming security work. No man is wise at all times; nevertheless, the focus on innovation shouldn’t interfere with the basics of security provision. Redtail serves as an example of how fragile cybersecurity in FinTech can be, and that some human-level vulnerabilities the industry face cannot be escaped by high technical standards or heightened risk management only.