October 7, 2014

On Monday, KrebsOnSecurity notified MBIA Inc. — the nation’s largest bond insurer — that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines, including a page listing administrative credentials that attackers could use to access data that wasn’t already accessible via a simple Web search.

A redacted screenshot of MBIA account information exposed to search engines.

A redacted screenshot of MBIA account information exposed to search engines.

MBIA Inc., based in Purchase, N.Y., is a public holding company that offers municipal bond insurance and investment management products. According to the firm’s Wiki page, MBIA, formerly known as the Municipal Bond Insurance Association, was formed in 1973 to diversify the holdings of several insurance companies, including Aetna, Fireman’s Fund, Travelers, Cigna and Continental.

Notified about the breach, the company quickly disabled the vulnerable site — mbiaweb.com. This Web property contained customer data from Cutwater Asset Management, a fixed-income unit of MBIA that is slated to be acquired by BNY Mellon Corp.

“We have been notified that certain information related to clients of MBIA’s asset management subsidiary, Cutwater Asset Management, may have been illegally accessed,” said MBIA spokesman Kevin Brown. “We are conducting a thorough investigation and will take all measures necessary to protect our customers’ data, secure our systems, and preserve evidence for law enforcement.”

Brown said MBIA notified all current customers about the incident Monday evening, and that it planned to notify former customers today.

Some 230 pages of account statements from Cutwater had been indexed by Google, including account and routing numbers, balances, dividends and account holder names for the Texas CLASS (a local government investment pool) ; the Louisiana Asset Management Pool; the New Hampshire Public Deposit Investment Pool; Connecticut CLASS Plus; and the Town of Richmond, NH.

In some cases, the documents indexed by search engines featured detailed instructions on how to authorize new bank accounts for deposits, including the forms and fax numbers needed to submit the account information.

Bryan Seely, an independent security expert with Seely Security, discovered the exposed data using a search engine. Seely said the data was exposed thanks to a poorly configured Oracle Reports database server. Normally, Seely said, this type of database server is configured to serve information only to authorized users who are accessing the data from within a trusted, private network — and certainly not open to the Web.

Worse yet, Seely noted, that misconfiguration also exposed an Oracle reports diagnostics page that included the username and password that would grant access to nearly all of the customer account data on the server.

“Malicious hackers finding dozens of universities or companies with Social Security numbers, health data or other information is devastating, but stumbling on bank accounts and the instructions for how to empty them is potentially catastrophic,” Seely said. “Billions in taxpayer funds, invested into one of the largest institutions in the world that were essentially being guarded by a sleeping security guard. What happens to those states when the money disappears?”

A misconfigured Oracle reports server can expose massive troves of sensitive data, a fact documented time and again by another independent researcher — Dana Taylor of NI @root. If your organization depends on Oracle Reports Services, please ensure that your administrators have read and implemented Oracle’s advice on securing these systems.

The accidental disclosure of customer data from MBIA comes amid revelations that foreign hackers — possibly organized crime groups operating out of Russia — hacked into networks of JPMorgan Chase. In public filings last week, JPMorgan said the breach exposed names, addresses, email address and phone numbers for 76 million household accounts and seven million small businesses. However, JPMorgan said that it has no indication that account numbers were exposed in the break-in.

Update, 3:03 p.m. ET: Updated the first and second paragraphs to clarify that the Municipal Bond Insurance Association is a former name for MBIA Inc.


69 thoughts on “Huge Data Leak at Largest U.S. Bond Insurer

  1. M

    apologies if someone already noted this, I didn’t make the time to read all comments..

    “The accidental disclosure of customer data from MBIA comes amid revelations that foreign hackers — ”

    dunno if “accidental” is correct in this scenario..

Comments are closed.