SCNB hit by breach – over 8,000 clear text credentials stolen

by Steve Ragan - Jan 15 2010, 18:04

'Twas the night before Christmas, when Suffolk Bancorp said an internal audit by Suffolk County National Bank (SCNB) discovered that over 8,000 customer online banking credentials were snatched from a server where they resided in plain text.

Suffolk Bancorp said that the 8,378 records accounted for less than ten percent of their customer base at SCNB, but failed to explain the reasoning for leaving such information on a server in the clear.

After the attack was discovered, the servers used by SCNB were rebuilt and various other security measures were put in place. In addition, all SCNB customers should have a letter from Suffolk Bancorp explaining the incident, a statement said, as they went out

According to Amichai Shulman, Imperva’s CTO, what is amazing about the case is not just the fact that the bank has taken until earlier this week to reveal that around 10 percent of its customers' credentials were compromised, but that the data was stored as plain text.

“What I find astonishing about this hack is that you would think that a banking application would undergo much more stress testing than most and, as a result, the storage of user credentials in plain text would have been spotted and remediated early on in the system development process,” Shulman said.

“Although the full modus operandi for this banking hack has yet to be revealed, but given that the server was accessed and 8,378 credentials were stolen, I would assume the attacker gained access using an SQL injection approach,” he added.

Neither SCNB, nor their parent Suffolk Bancorp, would discuss the technical aspects of the breach, which occurred over a six-day period from November 18-23. They said in a statement that they have detected no unauthorized use of the stolen credentials since the attack.

“The security of customers’ information is of utmost importance to SCNB. While we know that our diligence in this regard allowed us to uncover this incident, and to take action rapidly to protect our customers, we also recognize that the provision of financial services over the Internet requires our dedication to continuous monitoring and security,” said President and Chief Executive Officer, J. Gordon Huszagh.

“We understand that this kind of incident is a source of concern: both to our customers, even if their personal information is not misused; and to our shareholders for the expense incurred in response. We have responded to this incident as promptly, diligently and forthrightly as we know how, and will continue to do so until it is fully resolved.”

SCNB said that they previously informed customers that toward the end of this month there would be improvements to their Online Banking service. These improvements are counted towards the security enhancements added as a result of the breach.

It’s an interesting turn of phrase, to note that their “diligence” allowed them “to uncover this incident”. However, where was it when the system was put in place, and credentials were allowed to be stored in plain text?

Around the Web