Pentagon Credit Union Database Compromised

Trailrunner7 writes "The credit union used by members of the US armed forces and their families has admitted that a laptop infected with malware.was used to access a database containing the personal and financial information of customers. The Pentagon Federal Credit Union (PenFed) issued a statement to the New Hampshire Attorney General that said data, including the names, addresses, Social Security Numbers and PenFed banking and credit card account information of its members were accessed by the infected PC."

Quick...

[butalearner]

Any banks or credit unions not using Windows?

Re:

[kaptink]

It's sad when your first thoughts on reading this story is 'oh another windows fail' but the sad reality is that I would bet my life that it was. Assuming I am correct, will Microsoft be held accountable?

Re:

[Amorymeltzer]

No.

Re:

[Thud457]

Wait, I thought one of the justifications against going FOSS was that if something went disastrously wrong with a Windows system, at least you could sue Microsoft.

?

Re:

[TheRaven64]

Nope. The justification is that you can blame Microsoft. You can say to your boss 'we went with the same thing that everyone else is using' and then you don't get blamed personally.

Re:

[butalearner]

It's sad when your first thoughts on reading this story is 'oh another windows fail' but the sad reality is that I would bet my life that it was. Assuming I am correct, will Microsoft be held accountable?

Of course Microsoft is not responsible, but also consider, had the laptop-toting person responsible been using something other than Windows, it would be highly unlikely that we would be having this discussion. It occurred to me after I posted (and after reading the article) that the laptop could have been an personal one, and it doesn't really matter what the bank is using if the guy loaded up the database on it and the malware quietly sent it elsewhere.

Re:

[TheLink]

What I find strange is if this statement was really true: "data, including the names, addresses, Social Security Numbers and PenFed banking and credit card account information of its members were accessed by the infected PC."

Most malware programs don't copy every file and send the data over.

So either the malware was suspiciously very targeted (looks for such files and sends contents out) or this was just a precautionary measure - they had to assume the data was compromised even if the malware didn't actuall

Re:

[pinkushun]

More than likely if the PC was up to date, and safe practices were used, then this issue could have been prevented.

That said, such safe practices are much more maintenance and unwieldy in the Windows world - no I'm not dissing, it's fact from experience, as many of you may know.

Technically, Microsoft is accountable. Legally, not.

Re:

[forkfail]

Only Ye Ole Under The Mattress Bank.

And even then, it's up to the depositor to ensure that the room is windowless...

Re:

[sunderland56]

Even if the bank had absolutely NO windows machines, and no Microsoft products anywhere - their database can be compromised by malware loaded on an external, non-bank-owned machine. Anywhere a login/password combination is stored is a potential data breach.

It is the fact that they allow database access from an external, insecure site that is the issue - not which operating system is in use.

Re:

[butalearner]

Oh dear, so many ways to feed the troll. Hmmm, how about a bad car analogy?

That's like a customer wanting a car that has high safety ratings, but calling them a tool because people seldom get in wrecks anyway.

It's the IT, not the OS

[Toe, The]

In the end, these sorts of egregious breaches can be blamed on IT and/or management. The latter mostly in cases where they unduly restrict IT from doing their jobs properly. In other (most) cases, it is because IT wasn't on the ball with security.

These stories come out again and again and again, and yet we still see people being allowed to do the wow-stupidest things you can imagine.

A few simple rules for people who haven't learned from these countless news stories:

1. Company computers should only be allowed to perform company functions, and only company computers should be allowed to access company assets.

2. Computer users should never have more access to their own computer or to company assets than they need. And always be conservative at first, and bump up their privs later if it becomes necessary.

3. In situations where users might have access to assets that could potentially put other people's information at risk, those users should be required to undergo some basic security training.

I'm just typing off the top of my head (I'm sure /. can add a few more), and already I've delineated more than I see done in most operations I've seen. It is rather amazing.

And it is extremely infuriating. These people are in charge of my assets. Increasingly all of us have to (if we want to participate in modern society) put more and more of our data into the hands of others. And again and again they prove that they don't deserve the trust we're putting in them.

Re:

[turbclnt]

Although I agree with everything you are saying in theory, I think there are some practical matters here that make these things tricky:

1. Company computers should only be allowed to perform company functions, and only company computers should be allowed to access company assets.

So, what is a company function? I agree - changing/revealing SSNs is a company function. However, a ton of viruses come from contaminated USB sticks too. If your job is to review a bunch of vendor presentations from USB sticks/e-mail/other external sources, how do you secure your "company" computer?

2. Computer users should never have more access to their own computer or to company assets than they need. And always be conservative at first, and bump up their privs later if it becomes necessary.

Sounds great. However, it always takes IT at least an hour to do this at my c

Re:

[Charliemopps]

1. a company computer can just as easily be infected as a private computer. The idea that Antivirus provides anything more than protection against the more common threats out there is the leading myth that lets managers think they are protected. "We have Norton, so we don't have to worry about viruses" I could write a virus, specifically for you... in about 20min and no antivirus would pick it up.

2. This is all fine and well to say... but in actual practice most companies, especially older companies and Gov

Re:

[nobodie]

I agree 100% but, what are people doing? When I investigated the crapware that my bank put on a virtual copy of winXP (required by the bank so that it could connect to the bank site with IE6, no this is not a joke) it quickly became apparent that I should not/ could not use the USB dongle they SOLD me for the connection. The dongle had no real use beside triggering IE6 to download a certificate and a few other "programs" necessary for the connection. I used it once and it was so unfriendly and stupid i thre

Re:

[couchslug]

As a PenFed customer, I'll be contacting them.

Corporations in charge of important personal data should choose security over convenience, should not use Windows, should not WANT to use Windows, and should lock down their systems.

IMO they should restrict uses to thin clients at the their brick-and-mortar locations. No laptops, no mobility, tough shit.

An institution that serves the military should have a military chain of command, give orders not requests, and crush anyone who doesn't obey them.

Re:

[hal2814]

As another PenFed customer, I'm surprised they didn't contact you. They sent me a letter a few days ago explaining the situation and offering 2 years of free enrollment in one of those identity theft tracking services. I also have a new credit card and number being mailed to me.

I'm not happy about the situation but how they're handling it is everything I've come to expect from PenFed.

Re:

[swilly]

I'm in the same boat. The article mentions that affected customers were reissued credit and debit cards, so presumably not hearing anything is a good sign, but I'll be calling them as soon as I get home.

Re:

[hal2814]

They extended me two free years of credit monitoring service in addition to reissuing my cards. You might see if you can get the same.

Re:What should I do?

[v1]

usually their first recommendation is to put a watch on your credit score, a lot of the time when a bank has a breech they offer to pay for a year or so of this service to all their members whose information may have been exposed, so you can call them and see what they are offering for safeties after the fact.

Change your pin and password, security question, etc for this account immediately. If you have a pin or other password etc used on that account that you use in other places, you should change those other places also, as they may try to use the credentials on other accounts they can figure our are yours in other places.

Also while you're talking with this credit union, see what they can do to adjust the 'paranoia level' on your account. That's what gets you a phonecall from them when you go on a vacation and buy a bunch of stuff and suddenly the card is getting declined. You want high paranoia on their part for awhile. There may be ways to set reasonable hard limits on charges per day etc a bit like how you can usually only pull $250 cash a day from an ATM. Set those limits temporarily as tight as you feel you can. They may have other options, ask them.

And of course the ever-popular "consider changing banks". Do you really trust them as much with your money as you did before?

Re:

[mswhippingboy]

I just use the simple approach of keeping VERY little money in my accounts. With the economy the way it's been lately, that hasn't been much of a problem.

Re:

[palegray.net]

And of course the ever-popular "consider changing banks". Do you really trust them as much with your money as you did before?

Do you really trust any other financial institution with your money more than you trust them? These issues are systemic, not isolated to one or even a handful of financial services firms. You might be surprised to know how many such events occur, but are never properly disclosed.

Re:

[aztracker1]

Nope, I do not trust banking institutions.. they're run by computers, and computer algorithms without question with program code created by people, who are fallible. often with no actual human available to identify, confirm or rectify these errors.. I went without a bank account for 5 years because of such an error, and to this day it irks me that I gave in. I've since worked in a lot of "secure" development... it really isn't anything I trust.

Re:

[palegray.net]

I'm not disagreeing with what you've said, but I will point out that security is a process, not a product [schneier.com]. It's never "done."

Re:

[fulldecent]

Trust them more, they admitted it.

Introduce tort law in the banking sector, just like they have in the medical sector.

The weak link

[nurb432]

As always, people not following proper procedures.

Re:

[eko3]

As always, people not following proper procedures.

Is it really people not following procedures? Or is it lack of procedures for people that don't follow procedure?

Re:

[matazar]

It's usually a healthy mix of both.

How can you blame Assange

[VincenzoRomano]

When your security leaks like a sieve?
And if those data get secretely sold to bad guys, do you think it's better than free publishing all of them?

Re:

[hal2814]

What do you mean by "your security?" Are you under the mistaken impression that PenFed is a government entity? It's a credit union like any other. It's charter just happens to define its common bond as those involved in the military. This is not the droid you're looking for.

I still find it crazy that...

[Anonymous Coward]

I still find it crazy that systems like these don't have dedicated computers for accessing that info. Personally, I *refuse* to enter ANY kind of password into most peoples laptops, let alone access sensitive information belonging to thousands of people. Then again, no one cares about "other peoples information" until that other person is you...

Re:

[gclef]

This (and several other comments) really boil down to one thing: the price of security. The companies or organizations that get compromised rarely face any actual cost to being compromised, so the costs for doing security right (like, having dedicated computers for accessing financial information) are seen as "not worth the money."

This will only get better when the cost of being compromised is borne by the group that screwed up, not the customers of that organization.

Re:

[shentino]

People are selfish.

News at 11.

Re:

[pinkushun]

Geek Tip: It's handy to keep a Live OS on a USB drive on your keyring, for emergency access to sensitive sites, like banking and /.

This what they did for me...

[Anonymous Coward]

They gave me a new CC# right away, and offered two years free credit monitoring. Meh, Better than nothing I guess.

Malware...

[calebpburns]

Members of the U.S. government sure have knack for getting malware.

Facts please!

[girlintraining]

This is a credit union that happens to be used by military personnel. The credit union is not on a military network.

Re:

[ShaunC]

Where was it stated otherwise?

Re:

[girlintraining]

Where was it stated otherwise?

Everywhere. References to "air gap [slashdot.org]" security, references to Wikileaks [slashdot.org], and of course -- "the pentagon network [slashdot.org]" (as if there is actually such a thing...). And this is only in the first few minutes since the story got posted. Just wait a few hours and there'll be dozens, maybe hundreds...

Re:

[Peeteriz]

The simple solution is to publish (on wikileaks?) the address of the responsible culprit - and the military and ex-military personnel will probably somehow manage to ensure that the data isn't used for malicious purposes.

Air-gap security!

[SaDan]

There needs to be more air-gap security implemented in systems that are as important as banks/credit unions.

I'm not referring to the air-gap currently between the ears of whoever is in charge of their computer systems.

Mainframe only?

[Anonymous Coward]

What happened to keeping personal information like this to private mainframe computers, with LAN access only? Putting data like this on a laptop is only asking for trouble. We never seem to learn.

A case for laws?

[DoofusOfDeath]

I wonder if there should be laws that make persons working for banks, utility companies, etc. criminally and civilly liable for violating that organization's IA rules.

I'm talking about organizations responsible for information systems whose compromize could lead to significant public harm.

Re:

[TaoPhoenix]

Only if the infected laptop shared two Justin Bieber songs with the host machine. Then we'd see the correct penalalty.

Re:

[OrigamiMarie]

This stuff happens a little less often with credit card numbers because the credit card processors take PCI (Payment Card Industry) standards pretty seriously, audit their big clients yearly, and give the real threat of cutting off companies that don't have enough security. On the other hand, PCI compliance is kind of loose, so I think the real effect of the PCI audits is that they make companies actually _think_ about security. Once you get thinking about security, you can probably do better than PCI req

This is incredibly sad.

[jd]

Let's look at this.

• Malware-related tragedy [slashdot.org]
• Malware-related espionage [slashdot.org]
• Other Malware-related espionage [softpedia.com]
• Malware-related vendor issues [slashdot.org]
• Malware-related cyber-terrorism [slashdot.org]

In short, infected devices have caused serious problems (and occasionally fatalities). The Pentagon has been subject to malware-related cyber-attacks, including (as noted in the list) serious cases of espionage, in the past. That people are (a) running devices that are open to attack, and (b) are able to connect such devices to any Pentagon network, is seriously pathetic.

Re:

[blueg3]

That people are (a) running devices that are open to attack, and (b) are able to connect such devices to any Pentagon network, is seriously pathetic.

With the current security landscape, this boils down, essentially, to:
(a) People are using computing devices
(b) Some computers are able to connect to the Pentagon network

Re:

[TheSpoom]

Except that Windows is more vulnerable to malware than other OSes by orders of magnitude.

Re:

[blueg3]

To meet OP's requirements, number of vulnerabilities doesn't really matter. All systems have some vulnerabilities. With few exceptions, they're not theoretical vulnerabilities, either -- they're actively exploited. So regardless of the device people use, it will be the case that they are using a device that is open to attack.

Re:

[jd]

Not really. You just require that mobile devices that connect to classified or commercially sensitive networks that relate to defense meet FIPS standards and if they can perform computations are also EAL6 or EAL7 certified.

Yes, there's not much that's at that level, but if you create a demand for such products you will see the production of such products.

It's also true that fixed devices internal to the secure networks don't need to be that highly secure, but you've got to bear in mind that mobile devices a

Re:

[c0lo]

That people are (a) running devices that are open to attack, and (b) are able to connect such devices to any Pentagon network, is seriously pathetic.

With the current security landscape, this boils down, essentially, to: (a) People are using computing devices (b) Some computers are able to connect to the Pentagon network

Best solution... Pentagon to drop the reliance on computers. Errr... wait... and paper too (because the Pentagon papers were... well... on paper).

Re:

[jwarnick]

The Pentagon has been subject to malware-related cyber-attacks... To clarify, it's a credit union and not the actual DoD Pentagon.

Re:

[jd]

The malware-related espionage attack was against the Pentagon. That's an example of something that should not have ever been possible.

That a cyber-attack was launched years later against the credit union when the DoD has already gained experience in defending against cyber-attacks, and experience in the consequences of failing is the part that bothers me.

A hypothetical parallel would be one car manufacturer using a vendor's gas tanks that are prone to exploding after an affiliated manufacturer has already d

Re:

[Jeian]

PenFed is not affiliated with the Pentagon, except that the majority of their members are Pentagon employees.

Re:

[hal2814]

You could probably argue that the majority of Pentagon employees are members but with one million members I highly doubt the majority of PenFed members are Pentagon employees.

I think the only reason Pentagon is in the title is for the prestige. It's wicked cool when you pull out your credit card with a huge Pentagon on it to pay your bar tab. It's also cool when the lady at the tag office looks over your new car paperwork and asks you wide-eyed, "Do you work for the Pentagon?" (To which I have a canned

Re:

[pinkushun]

Well said!

!USAA

[T Murphy]

Summary is misleading "The credit union used by members of the U.S. armed forces and their families" made me think it was referring to my credit union (USAA, open to federal employees and families, not just armed forces). It had me worried for a moment there.

Re:

[Anonymous Coward]

USAA isn't a credit union.

This is why I don't belive in Conspiracy Theories

[Timmy D Programmer]

Because let's face it, the US government can't even keep ANYTHING secret or secure. Apparently not even their darn bank accounts.

Re:

[BenSchuarmer]

Maybe that's what they want you to think.

Re:

[hal2814]

So a private company having a security breach is evidence that the US government can't keep anything secret or secure?

database design is at fault

[SethJohnson]

That information should have been encrypted within the database. Why, just the other day SQLServerCentral.com posted a tutorial on creating a transparent database encryption layer [sqlservercentral.com]. When managing critical information like SSN's or embassy cables, clear text is just asking for a compromise.

Oh, and I am not saying Windows is anything at all good to have in anyone's life. In fact, the insecure nature of laptops and malware demands that security be increased closer to the sensitive data.

Seth

Re:

[SethJohnson]

Sorry to write a vague comment.

I never assumed the database was on the laptop. Encrypting data within the database means that client compromises like this one still protects critical assets such as SSN's. It means, as I alluded to in my original post, that a person or piece of malware, can't execute a select social_security_number, address, patient_name from patient_table and store the resulting rows in a clear text file. Well, at least the resulting rows will be encrypted in DES or some such algorithm.

Re:

[zippthorne]

When managing critical information like SSN's or embassy cables, clear text is just asking for a compromise.

Both of those things are run by people who think that it's their job to compromise...

One of two things MUST happen

[erroneus]

Either Microsoft fixes the problems (yeah, not going to happen) with its Windows OS or banking and other institutions must ban the use of MS Windows machines for handling sensitive information such as this.

At the very least, requirements that such machines can NEVER have been used to connect to the internet or process email that might originate from the internet must be issued. These lax security policies are making victims of their customers and good luck getting your SSN changed after it has been used fo

OMFG

[hesaigo999ca]

The pentagon, which is renowned for being anal about security, let someone plug their unsecure laptop unto their network and just start accessing data at the tip of a hat.....i do not believe it, they probably are not sure of where this breach came from, and this is their cover story....so in case we see conf. info showing up only they had in public domains, now they can save their *sses, as they let us know about it.

Clarification: PenFed is not "the" credit union

[MrAtoz]

PenFed is one credit union used by members of the armed forces, but it is not the big player -- that's Navy Federal Credit Union [navyfederal.org] (NFCU). It has three times the members (3M vs. 1M) and assets ($43M vs. $15M) that PenFed has. Not to minimize the impact, but the article reads as if all military personnel who join a credit union are affected, and this is not the case.

Re:

[HomelessInLaJolla]

The sentiment of "first" and "never done this before" is somewhat relevant.

"A laptop", only one? Cue the neverending laughter. Let us make an educated ballpark guess at the number of employees who access their personal banking information with an infected laptop. Session hijacking, background processes, like most of the office people who use online banking are watching a physical LED to see if there is additional traffic outside of their control after they log in. Maybe some folks, even in IT, do not kn