August 3, 2018

TCM Bank, a company that helps more than 750 small and community U.S. banks issue credit cards to their account holders, said a Web site misconfiguration exposed the names, addresses, dates of birth and Social Security numbers of thousands of people who applied for cards between early March 2017 and mid-July 2018.

TCM is a subsidiary of Washington, D.C.-based ICBA Bancard Inc., which helps community banks provide a credit card option to their customers using bank-branded cards.

In a letter being mailed to affected customers today, TCM said the information exposed was data that card applicants uploaded to a Web site managed by a third party vendor. TCM said it learned of the issue on July 16, 2018, and had the problem fixed by the following day.

Bruce Radke, an attorney working with TCM on its breach outreach efforts to customers, said fewer than 10,000 consumers who applied for cards were affected. Radke declined to name the third-party vendor, saying TCM was contractually prohibited from doing so.

“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said. “We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”

ICBA Bancard is the payments subsidiary of the Independent Community Bankers of America, an organization representing more than 5,700 financial institutions that has been fairly vocal about holding retailers accountable for credit card breaches over the years. Last year, the ICBA sued Equifax over the big-three credit bureau’s massive data breach that exposed the Social Security numbers and other sensitive data on nearly 150 million Americans.

Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers. For example, identity theft protection provider LifeLock recently addressed a Web site misconfiguration that exposed the email addresses of millions of customers. LifeLock’s owner Symantec later said it fixed the flaw, which it blamed on a mistake by an unnamed third-party marketing partner.

Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners (consider the Target breach, which began with an opportunistic malware compromise at a heating and air conditioning vendor). Nevertheless, organizations of all shapes and sizes need to be vigilant about making sure their partners are doing their part on security, lest third-party risk devolves into a first-party breach of customer trust.


45 thoughts on “Credit Card Issuer TCM Bank Leaked Applicant Data for 16 Months

  1. Bill

    Is it possible to find out what member banks were affected?

    1. BrianKrebs Post author

      I suppose TCM has that information, but they haven’t shared it. They did, however, say that those individuals impacted would be notified by mail.

      1. Matt

        apologies if I missed this in the article, but by “customers” do they mean member banks that use TCM/ICBA services will be notified, or are they going to be sending emails directly to the individual people?

  2. Jim

    3rd parties should be held accountable for testing, validating and providing proof that the project is completed properly and secured via pen-testing. etc.

    1. Frank

      Third parties don’t want to assume that risk. The contracts are not lucrative enough.

  3. David1

    Sometimes I wonder if their are allowing these breaches on purpose. I don’t understand after all this time how this crap keeps happening so easily. They are either idots or they don’t care.

    1. KFritz

      It’s quite possible that they’re idiots who also don’t care.

    2. SkunkWerks

      Ask anyone in IT what happens when you try to have a frank and grave conversation with the folks who set the budget regarding “complicated computer security stuff”.

      I agree the outcomes are less than stellar, but I don’t think they’re deliberate.

      Hanlon’s Razor suggests otherwise.

  4. Andrew Rossetti

    Another good article, Brian! Vendor management has become one of the toughest if not the toughest challenge that we face (I work for a community bank), especially when direct vendors themselves outsource key aspects of their service.

    One of the things that we’ve asked our regulators recently is if there is any way that they can “encourage” our vendors to be more forthcoming with things such as their own information security program, business continuity plans, and the like. It’s not an issue with ALL vendors to be sure, but with some, including some key ones, it is huge challenge to say the least. I’m often provided with one page documents that essentially say “we have an info sec program and a DR program” and am expected to opine on their adequacy.

  5. Dennis

    “an unnamed third-party marketing partner” — translation: “We were selling your data to some schmuck that didn’t even care to secure it.”

    1. TimH

      That was Lifelock, not TCM.

      I was beaten by a large stick that Lifelock was sleazy when I got spam advertising them a few years ago.

  6. James Beatty

    ICBA’s website has the following splash at the top of the page:

    “ICBA’s systems will be undergoing routine system maintenance beginning Friday August 3rd at 3:00 P.M. CDT until Saturday August 4th at 4:00 P.M. CDT. We apologize for any inconvenience.”

    Coincidence?

  7. gigi

    Due diligence belongs first and foremost to the purchasing party, as in “caveat emptor”. But the purchaser has to be well informed of security risks, highly skeptical of flimsy promises, and motivated by the potential consequences of going too fast, too cheap, or too easy. Unfortunately, based on the continued gross lack of accountability that has been given to the C-Suite decision makers who just take their marbles and go elsewhere to perpetuate their incompetence, lip service seems to be the default security standard across all sectors. Any potential endor that can’t put up real documentation/proof of process should be sent packing. How ;hard is that?

  8. Bobby Jr

    Outsourcing risk sounds like a great idea until you realize that the risk to reputation is still there. Your customers don’t care that Bob’s Software Shack screwed up their website, they care that data they entrusted to you has been compromised. While you may not face any consequences due to failure to comply with some regulation, you will see consequences as a result of the damage to your brand and customer relations.

    1. Marian

      Bobby, your comments are right on. Indeed, us third party managers at banks (I am one) have had drilled into our heads that we can outsource the service, but we cannot outsource the risk. That’s the one tweak I’d make to your observations. And for the reasons you stated: the average consumer can’t — and frankly, shouldn’t have to — differentiate between a trusted financial institution and its third parties who do everything from check printing to rewards point fulfillment to offer core banking and online services. Caveat bank.

      1. TimH

        Ok Marian, but does the most senior person in the chain that selects the outsource get fired if the service screws up? Didn’t think so.

    2. Readership1 (previously just Reader)

      I wish you were right, but, as I’ve written in comments to other articles, the public does not care.

      Two examples. It’s been a while since Home Depot and Target were hacked. They still store credit card numbers long after transactions are completed; if you bring a 6 month old receipt to obtain a refund, they won’t need you to show the credit card.

      You can’t blame them for not learning the lesson when their sales are increasing and stock prices are rising. Clearly, customers and stockholders don’t care about breaches of customer data.

      OPM was hacked. CIA Brennan had his accounts taken over by the same 15 year old who hacked Comey’s FBI deputy. Electric and water utilities are being hacked. Credit bureaus are leaking data everywhere ….

      All this, and the public doesn’t march in the streets. There’s no consumer revolts. The vast majority doesn’t change their shopping habits or personal finance schemes, despite news about hacks and breaches.

      It’s fair to generalize: the public doesn’t care.

      1. SkunkWerks

        “It’s fair to generalize: the public doesn’t care.”

        More or less. I’d get a bit more specific though.

        “What we don’t know can’t hurt us/someone else is taking care of it”.

        There are some people who show an interest, but when they do they’re usually expressing it in odd, ineffective, and almost superstitious ways.

  9. Jeff Neithercutt

    It could be a cop-out to say “all affected “customers” will be notified by mail” because technically their “customers” are the small banks who contract with them for card services. Is there any assurance that the end user who’s information was actually exposed will be notified by mail? Follow-up question, who’s verifying that they fixed it right THIS time? In my experience banks like to do business with businesses who make big promises about security so the bank doesn’t have any residual liability, but I’d like to see legislation enacted to force the companies with our PII entrusted to them to use IV&V services (independent verification and validation) to PROVE they’ve locked the doors and windows protecting our data.

    1. Anon404

      Id like to see businesses forced to name their third party providers in their EULA’s instead of a blanket “we may share your data with partners for the purposes of providing your services”. If I am going to be giving my data to a company, I think it should be kept with that company and that company only, unless they specifically state otherwise and provide the name of the other company. That way I can give informed consent.

      1. Dave

        it would be nice for those companies to list their third party providers in their EULA, but there are two problems. the first is that no one ever reads the EULA. Its so packed with legalese that people that do read it can’t make any sense of it unless they are a lawyer also. The second problem is that third party providers come and go. This would require that the EULA be constantly updated and the vendor would either be constantly mailing updates to the EULA or the EULA update email would become so ubiquitous that they would become ignored and we would be back in the same place with a problem of third party vendor’s messing up (maybe).

        1. David

          This is actually required under GDPR now in Europe. Third party data processors must be published for customers to review and customers can request their data not be held by them (of course with whatever restrictions to service that causes). It’s an interesting thing, and California and likely other states are contemplating legislation similar to GDPR (though who knows if this third party disclosure requirement will be in it).

    2. indieschmo

      The “affected customers” here are actually customers of TCM Bank. TCM Bank provides credit card options for community banks that do not have a credit card offering. Community banks will refer to TCM Bank, have a card branded with the commbanks logo, and receive some monetary share.

    3. Anne

      I actually received said letter in my mail, and I’m an end user at a local Federal Bank. It came straight from them, and not through said local bank. The letter contains a code to use for a 12 month Experian identityworks something or other and has some information on how to protect your ID. All that seems absurdly stupid considering the length of what they can do with my information without my ability to protect myself.

  10. Followthe$$

    Unfortunately this institution has to pass a significant amount of its revenue to the parent company, ICBA Services Network all the way up to ICBA. These resources are not being utilized to secure their most vital data. Vendor selection and management decisions are sacrificed to ensure this income flow sustains the salaries of ICBA’s senior management. Former ICBA CEO, Cam Fine, had a annual compensation package of more than 2.5 million dollars according to the company’s 990 tax form. This is suppose to be a “non-profit” trade association, not a publicly traded corporation. There are no stock holders here to be appeased, just shear corporate greed in the “non-profit” space that has gone unchecked for far too long.

  11. TimH

    “information exposed was data that card applicants uploaded to a Web site managed by a third party vendor.”

    Why would a card applicant “upload data”. Fill in a web form, sure, but upload data?

    1. Jen

      Maybe paystubs or other income/employment verification docs?

  12. KFritz

    In construction, the general (main, primary) contractor often hires subcontractors (the equivalent of a third party vendor) to do specific, skilled work–think plumbing or electrical. If poor electrical work causes a catastrophic fire, or lousy plumbing floods a building with excrement, the general contractor is responsible for the mess, and liable for all costs–and also subject to criminal and/or civil penalties. Any intelligent general contractor vets subs carefully, and has an employee (and him/herself) watching the sub’s work. The same principle applies to online security. Blaming third party vendors for failures is just as useful and responsible as, “The dog ate my homework.”

  13. John White

    Hi Mr Krebs, really enjoy reading articles on your site. Do you have any plans on another book? Would like to read an updated version of your first one but with a focus on 2018 occurences e.g. a bigger highlight on things such as cryptocurrency.

  14. Jim

    Good article. Well done again. But, my usual. On the fault? May I relate, best practices yesterday do not mean best practices today. The standards change daily. The bank data procedures were set up with yesterday’s best practices by the one programmer. He did his dilligant best. Then something changed, he didn’t hide something, forgot a comma or added or mistook a result. Data wasn’t secured, and someone, finally found the results of the mistake. Remember, not everyone is from the same school, or researching the same topics. So they don’t all remember to search their programs the same ways. Or test their programs the same way. It is that researchers have not gotten to the programmers to help. So mistakes will slip thru. And, remember, the bank president is usually schooled in banking, and physical security, which is different then data security. And until a bank president goes to jail for lack of data security, nothing will be done.

  15. Jan

    I do not trust these third party systems at all. GDPR addressess a lot of issues though it is a nightmare for SME’s to implement. Card issuers, banks should really have the tightest security over our data.

  16. VAU

    I hope those business units wanting to speed-up the procurement and vendor management process are reading this. This happens when you want to skip the third-party assessment process claiming they (business units) have been utilizing the vendor for many years; even to the point of escalating the assessment team.

    Informative article.

  17. Catwhisperer

    “Radke declined to name the third-party vendor, saying TCM was contractually prohibited from doing so.”

    Take them to court for damages due to the breach and that argument will fly like a lead balloon.

  18. JD

    Big data is personally identifiable information being bought and sold which sometimes links financial and medical data. As with the early wild west there is no sheriff, nobody at watching it, and the theft typically goes unpunished. Businesses treat theft as a minor risk and the data itself as having big financial value.

    The problem I see with all this is the data has such a large positive value. Until there is a risk to businesses and rules on its trade, this will continue and lawlessness flourish.

  19. do better

    don’t understand how these banks can hire a 3rd party vendor with a one time security check. should be continuously monitoring the security of its 3rd parties in the same way the security teams are monitoring the first party code.

  20. Darkwebssolutions@gmail.com

    My advice to you all is to be very vigilant when investing to binary options and all other high yield investment programs, I invested $200,000 and was unable to get my hard earn money back, but thanks to an organization i was referred to through nothing short of a brother…they helped me to recover all my lost funds at least 80% was, I can’t keep my joy that’s why I am doing this as a means of appreciation, for your fund recovery that has been lost to binary option brokers, contact them on gmail darkwebssolutions, they Also provide . wide range of investigative and forensic services., a very good job!

Comments are closed.