On June 12, 2024, a post by a well-recognized dark web data broker and cyber-criminal gang, identified as Sp1d3r, put up a price of $1 million for stolen data from Truist Bank in a dark web forum. The data dump allegedly contains 65,000 employee records containing detailed personal and professional information, bank transactions including names, account numbers, and balances, and the source code of the bank’s Interactive Voice Response (IVR) funds transfer system. IVR technology enables telephone users to engage with a computer-operated phone system using voice and Dual-Tone Multi-Frequency (DTMF) signaling tones entered via a keypad.
Truist Bank is a leading U.S. commercial bank headquartered in Charlotte, North Carolina. It was established in 2019 by a merger between SunTrust Banks and BB&T (Branch Banking and Trust Company). The bank operates 1,935 branches and serves 15 million clients across the U.S. As of March 31, 2024, it had an AUM (Assets under Management) of around $535 billion.
According to a statement by a Truist Bank representative, “In October 2023, we experienced a cyber security incident that was quickly contained. In partnership with outside security consultants, we conducted a thorough investigation, took additional measures to secure our systems, and notified a small number of clients last fall.”
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect the fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy of individuals in the United States. The OCR regularly performs assessments to verify adherence to the Privacy, Security, and Breach Notification Rules. If instances of PHI breaches are found, corrective action plans and financial penalties may be enforced by the Office for Civil Rights. The HIPAA Act was passed in 1996 and covers health care providers, health plans, clearinghouses, and business associates. Its main objective is to allow workers to transfer health insurance coverage when changing jobs, prevent discrimination against individuals with pre-existing health conditions, and guarantee renewal of coverage in multi-employer health insurance plans.
Following the resolution, Melanie Fontes Rainer, OCR Director, said, “Hacking and ransomware are the most common type of cyber attacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals. Safeguarding patient protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyberattacks.”
Chen Heffer, the Founder and President of CyTech International, with more than 2 decades of experience as a CISO and 3 decades in the cyber industry, said that going after the data and trying to recover it is basically a ghost chase. According to Heffer, “As a security expert, you need to deal with the immediate consequences of the data breach. This does not involve getting your stolen data back but rather mitigating the damage and preventing further breaches by escalating the incident within the organization and the clients whose data was breached. To enhance the security of the organization’s system, an advisory should be sent to immediately strengthen the identities of the 65,000 employees and the clients whose personal information was stolen by enabling Multi-Factor Authentication (MFA), minimizing the bank employees’ social footprint and investing in all affected individuals’ awareness of the potential threats that might try to exploit this data leak.”
The statement above addresses the immediate response to the data breach, but it is equally important to consider long-term strategies. In addition, Heffer said, “Implementing User and Entity Behavioral Analytics (UEBA) in industries with large data sets, such as the financial and healthcare sectors, is very important to prevent misuse of stolen identities by malicious users. This is especially important for high-ranking officials, ‘C’ Levels of the organization, as their confidential information and social footprint can be used in ‘Whale-Phishing’ attacks, malicious email attacks targeted and personally tailored against ‘C’ level and high-rank personnel.”
In conclusion, the recent data breach of Truist Bank highlights the urgent need for proactive and reactive cyber security strategies. This aligns with Heffer’s statement that “The key to achieving good cyber security is through people and the organizational culture, rather than relying on technologies. While technology is an important tool in cyber security, it is the people and the culture within an organization that often determine how secure it is. Technology use and effectiveness is a result rather than a strategy, the result of organizational culture and user behavior and awareness in the highest levels.”
Leave a Reply