Ransomware Locks Credit Union Users Out of Bank Accounts (arstechnica.com) 27
An anonymous reader quotes a report from Ars Technica: A California-based credit union with over 450,000 members said it suffered a ransomware attack that is disrupting account services and could take weeks to recover from. "The next few days -- and coming weeks -- may present challenges for our members, as we continue to navigate around the limited functionality we are experiencing due to this incident," Patelco Credit Union CEO Erin Mendez told members in a July 1 message (PDF) that said the security problem was caused by a ransomware attack. Online banking and several other services are unavailable, while several other services and types of transactions have limited functionality.
Patelco Credit Union was hit by the attack on June 29 and has been posting updates on this page, which says the credit union "proactively shut down some of our day-to-day banking systems to contain and remediate the issue... As a result of our proactive measures, transactions, transfers, payments, and deposits are unavailable at this time. Debit and credit cards are working with limited functionality." Patelco Credit Union is a nonprofit cooperative in Northern California with $9 billion in assets and 37 local branches. "Our priority is the safe and secure restoration of our banking systems," a July 2 update said. "We continue to work alongside leading third-party cybersecurity experts in support of this effort. We have also been cooperating with regulators and law enforcement."
Patelco says that check and cash deposits should be working, but direct deposits have limited functionality. Security expert Ahmed Banafa "said Tuesday that it looks likely that hackers infiltrated the bank's internal databases via a phishing email and encrypted its contents, locking out the bank from its own systems," the Mercury News reported. Banafa was paraphrased as saying that it is "likely the hackers will demand an amount of money from the credit union to restore its systems back to normal, and will continue to hold the bank's accounts hostage until either the bank finds a way around the hack or until the hackers are paid." Patelco hasn't revealed details about how it will recover from the ransomware attack but acknowledged to customers that their personal information could be at risk. "The investigation into the nature and scope of the incident is ongoing," the credit union said. "If the investigation determines that individuals' information is involved as a result of this incident, we will of course notify those individuals and provide resources to help protect their information in accordance with applicable laws." While ATMs "remain available for cash withdrawals and deposits," Patelco said many of its other services remain unavailable, including online banking, the mobile app, outgoing wire transfers, monthly statements, Zelle, balance inquiries, and online bill payments. Services with "limited functionality" include company branches, call center services, live chats, debit and credit card transactions, and direct deposits.
Patelco Credit Union was hit by the attack on June 29 and has been posting updates on this page, which says the credit union "proactively shut down some of our day-to-day banking systems to contain and remediate the issue... As a result of our proactive measures, transactions, transfers, payments, and deposits are unavailable at this time. Debit and credit cards are working with limited functionality." Patelco Credit Union is a nonprofit cooperative in Northern California with $9 billion in assets and 37 local branches. "Our priority is the safe and secure restoration of our banking systems," a July 2 update said. "We continue to work alongside leading third-party cybersecurity experts in support of this effort. We have also been cooperating with regulators and law enforcement."
Patelco says that check and cash deposits should be working, but direct deposits have limited functionality. Security expert Ahmed Banafa "said Tuesday that it looks likely that hackers infiltrated the bank's internal databases via a phishing email and encrypted its contents, locking out the bank from its own systems," the Mercury News reported. Banafa was paraphrased as saying that it is "likely the hackers will demand an amount of money from the credit union to restore its systems back to normal, and will continue to hold the bank's accounts hostage until either the bank finds a way around the hack or until the hackers are paid." Patelco hasn't revealed details about how it will recover from the ransomware attack but acknowledged to customers that their personal information could be at risk. "The investigation into the nature and scope of the incident is ongoing," the credit union said. "If the investigation determines that individuals' information is involved as a result of this incident, we will of course notify those individuals and provide resources to help protect their information in accordance with applicable laws." While ATMs "remain available for cash withdrawals and deposits," Patelco said many of its other services remain unavailable, including online banking, the mobile app, outgoing wire transfers, monthly statements, Zelle, balance inquiries, and online bill payments. Services with "limited functionality" include company branches, call center services, live chats, debit and credit card transactions, and direct deposits.
Rise and Repeat! Rise and Repeat! (Score:3, Insightful)
Re: (Score:3)
MGM got owned by a social engineering attack directed against the IT team. Even people who should know better only have to make a mistake once.....
Re:Rise and Repeat! Rise and Repeat! (Score:5, Interesting)
And when do we find out the name of the Microsoft partner involved in this standard admin and security outsourcing disaster!!
Re: (Score:2, Interesting)
More importantly! Who builds and runs an operation this broken! And when do we find out the name of the Microsoft partner involved in this standard admin and security outsourcing disaster!!
It's the curse of hiring point-and-click admins.
I manage IT in the healthcare space. Several hundred clients.
Two offices have been cryptolocker'd in the last 18 years that we've been doing this.
They were specific targeted attacks--AV didn't even remotely detect a problem.
But our internal monitoring system alerted us when it noticed files being changed--files that should basically be write-once-read-many or operations on folders that might see 5-10 writes per year...or our canary tokens disappeared.
We
Re: Rise and Repeat! Rise and Repeat! (Score:1)
Microsoft, it is always Microsoft
Re: (Score:2)
Not only. It is also the morons buying and using Microsoft toy-level "systems" for critical functions. If the customer is incompetent and greedy, the market stops working.
Re: (Score:2)
"How does that even work."
The most obvious way would be that the email got somebody with a lot of privileges to type his credentials into a site controlled by the hackers.
Of course, this raises the questions--where was the 2FA? Where was restricting access to the bank's own VPN?
Re: (Score:2)
And also, why did system administration tasks not require the use of separate, dedicated and hardened systems?
Re: (Score:2)
"How does that even work."
The most obvious way would be that the email got somebody with a lot of privileges to type his credentials into a site controlled by the hackers.
Of course, this raises the questions--where was the 2FA? Where was restricting access to the bank's own VPN?
I asked them and they replied: "What's a VPN?" /s
Re:Rise and Repeat! Rise and Repeat! (Score:5, Interesting)
"hackers infiltrated the bank's internal databases via a phishing email" How does that even work. Who designs systems like this?
Simple: Greedy scum C-levels hiring cheap, incompetent people and then giving them not enough money and time on top. Also, clearly a regulatory failure. In the banking systems I know, you have separate hardware to even access anything really critical and no regular email or web access or anything, really, from those systems. Of course, that costs money. Money that can be better spent on undeserved bonuses for the C-levels.
Re: (Score:3)
It probably wasn't designed at all. Just built up over decades, contractors asked to write software to fulfil specific needs, no consideration for the overall system or integrated security.
"Hit by attack" (Score:3, Insightful)
Nobody was "hit by attack." They incompetently didn't bother to secure their systems.
Can't be bothered to close the safe when your credit union closes for the night? Don't blame the people who robbed you and pretend you had nothing to do with it but HERE IS ONE YEAR OF LIFELOCK WOOHOO!
Any facility hosting financial or PII should be put out of business the very next day. If they can't be bothered to do the bare minimum they shouldn't bother at all.
If you disagree, have a year of LIFELOCK with credit lock. So now you can't sue those people who literally gave away your PII.
Close them down. The excuses just keep on getting stupider.
Re:"Hit by attack" (Score:4, Insightful)
There are two groups offenders - the cyber criminals, and the negligent credit union staff.
However, if you're going to ask me to rank the two... the latter are only negligent because of the criminal acts of the former. Hang those in the public square as an example, the negligent staffers can enjoy unemployment.
Re: (Score:2)
Ah, the usual crap bogus excuse. The negligent C-levels (and that is where the rot usually sits) should go to prison for something like this or nothing will change. Sure, the attackers will go to prison long-term if ever caught, but that does not excuse inadequate IT security at a frigging _bank_ at all.
Re: (Score:1)
Taking your line of thought to the extreme: we should be putting rape victims in prison because "they asked for it, with their big tits and loose ways", right?
Ransomware is rape, writ large. If women (or whatever sex/gender is targeted...can't have the Alphabet Team up in arms over being left out) had to follow what we expect of IT, they'd be best served by being locked in a high castle tower with dragons for guards. How would they ever get a date, or procreate?
Zero-days and weak staff will always be an iss
Re: (Score:2)
In a modern civilized nation with the rule of law and a moderately effective police service, you can usually afford to be less brutal with punishments. The goal, obviously, is to maximize your happy and productive citizenry and that includes rehabilitating criminals.
However, we appear to have forgotten an old rule - the more difficult it is to catch a particular type of criminal, the harsher the punishment; the perceived risk/reward has to be high. If cyber crime is something you can mostly get away with
Re: (Score:3)
Indeed. No bank should ever have IT security that cheaply and badly done that they can even be really hit by ransomware. And "weeks to recover"? That is simply ridiculous. They cannot have invested anything into BCM and DR tests and are probably doing the absolutely bare minimum there. Greed at work. This disaster should result in personal penalties for those responsible, starting with the CEO.
I am a member of this credit union (Patelco) (Score:4, Informative)
Re: (Score:3)
Do you keep redundancy of accounts? I have three checking accounts and could weather something like this. Impact would range from trivial (if they hit either of the 'backup' institutions) to "major pain in the ass" (if they hit my primary that gets my payroll and has bulk of my liquid savings) but my worst case would be eating a little bit of credit card interest.
In a scenario like this, I'd expect them to cover my cc interest and any other late fees/losses directly associated with this incident. Hopefu
Re: (Score:1)
So how is that cheap IT security working for you? (Score:2)
Maybe not that cheap after all? Would definitely be a good thing if this kills them with customers leaving.
"Patelco"? (Score:2)
I know credit unions have become super creative about defining their supposedly limited markets, but ... WTH is this?
A credit union for families named "Patel"?
Re: (Score:2)
Patel = Pacific Telephone & Telegraph Company, or Pacific Telesis
Re: (Score:2)
Patel = Pacific Telephone & Telegraph Company, or Pacific Telesis
Ah :)
Backups? Who needs backups ... (Score:2)
shouldn't there be a redundant isolated failsafe restorable tested base state? No? Really?
This is why (Score:2)