jump to navigation

“Oh the humanity!”- Financial Institution Breached 3 Times in 2 Weeks! April 4, 2012

Posted by Chris Mark in Data Breach, Industry News, Uncategorized.
Tags: , , , , , , ,

STOP THE PRESSES!  According to the Patriot Ledger, a financial institution’s security was breached 3 times in 2 weeks and assets were stolen.  The media, however, has been quiet on the story.  I have not heard a single Gartner or other analyst publicly eviscerate the financial institution for their poor security practices nor has Information Week, CNN, or any other major media outlet opined on the breaches. Why?

The financial institution was a actually a bank branch and the breaches were not data thefts rather they were good old fashioned bank robberies.  In 1968, in response to increasingly violent and frequent bank robberies, the US Government passed the Code of Federal Regulations Title 12 part 208.61- Bank Security Procedures.  The purpose of the Act is as follows:

(a) Authority, purpose, and scope. Pursuant to section 3 of the Bank Protection Act of 1968 (12 U.S.C. 1882), member banks are required to adopt appropriate security procedures to discourage robberies, burglaries, and larcenies, and to assist in the identification and prosecution of persons who commit such acts. It is the responsibility of the member bank’s board of directors to comply with the provisions of this section and ensure that a written security program for the bank’s main office and branches is developed and implemented.

Notice that the regulation says the purpose is to discourage robberies…not PREVENT robberies.  Even though the regulation was passed 44 years ago all banks that are FDIC insured are required to comply we still see an average of 5,500 bank robberies per year in 98,000 bank branches.  This represents  5.6% of bank branches being robbed per year.  This is in spite of the fact that the average robbery only nets about $5,000, 75% of robberies are “cleared” and the criminals apprehended and sentenced to an average of 3.5 years in prison!   Compare this to the payment card industry.  At last count there was an estimated 5 million merchants in the US.  This is 50X more merchants than bank branches.  Unlike a bank robber, the thieves that hack into merchants do not need to be in the same proximity as the merchant. Few, if any, cyberthieves are apprehended and when they are they often get little more than a slap on the wrist.  Finally, consider that stolen credit card data can be sold on the black market for much, much more than a bank robber would make and it makes sense why we see such activity in the cyber arena.

Banks are much easier to secure than networks.  Banks only need secure one dimension to prevent a robbery- the physical domain.   In theory, if you have strong enough vaults, and sufficient deterrence then robberies would be eliminated.  As can be seen in the statistics, this is simply not the case.  Americans have learned that bank robberies are a simple fact of life.  In spite of the fact that they are theoretically easy to prevent, bank robberies occur over 5,000 times per year in the US.  In the cyberworld however, there is a persistent belief that we can prevent cybercrime and that if a company is hacked it is due to their inability to secure their network.  In light of the prevalence of bank robberies in spite of how easy they are to prevent it seems difficult to resolve people’s beliefs that hackers should be easier to stop.

Just food for thought…


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: