Credit Union Website Hack Highlights Widespread Security Weaknesses

Jeff Mansir, Risk and Business Advisory Senior Manager
March 2015

On a Saturday morning two weeks ago in a small town in Montana, members of a local credit union checking the credit union’s website were greeted with an ominous black screen and a notice that the site had been “hacked by Islamic State” (also known as ISIS). After spitting out their coffee and hitting the refresh button, their first thought was likely “why?” followed closely by “how?”

Why

We tackled a possible “why” in a recent article discussing the increasing use of hacks by state actors seeking immediate notoriety instead of financial gain. It may be a stretch to refer to ISIS as a “state actor” (and it is unclear whether they were involved at all) but the opportunity to hit an unexpected target quickly, and to broadcast a message certain to cause alarm and a certain element of fear is one any malicious organization would be loath to pass up. Rather than going after a richer, more impenetrable target, the perpetrators can do a quick scan for easy targets that are vulnerable to compromise. In the age of 24 hour news cycles and social media, the audacity of the attack matters almost as much as the actual impact – in this case, ISIS striking a target in the absolute middle of the North American continent offers notoriety far out of proportion to the actual damage inflicted by the event.

How

The “how” is equally interesting in this case. The immediate concern of the poor credit union members with coffee now dripping down their screens was the status of their money – namely, had it been taken? There is no indication that members’ money was compromised, and it is unlikely it was ever at risk. The credit union’s banking system undoubtedly is an entirely different system - a hardened target that is segmented off from its more vulnerable website.

The credit union website, however, was hosted, updated, and maintained by credit union staff. This is very common. We often see websites maintained by non-IT administrative staff or volunteers in their spare time, using open source tools and little to no internal controls.

Initial indications for this hack point to WordPress as a common theme; WordPress is an extremely common and easy-to-use platform for web content management. These kinds of tools are great because they are cheap and easy to use; they are likewise dangerous from an information security perspective because they are so common. Whereas Windows and Adobe Flash updates are constantly on the minds of IT managers, how much time do they spend worrying about WordPress plugins? It would not be uncommon based on our experience to see a web content tool managed solely by administrative staff beyond the oversight of the IT department.

Prevention

Any good story includes a few takeaways, and from this I offer the following:

  1. Maintain a good inventory of systems managed by IT. Know which systems and software are managed, and by whom, and which are not. Be cautious of applications supported outside of IT beyond information security controls you commonly expect.
  2. Update your systems. While this hack appears to have been enabled by a software flaw, a patch to fix the flaw had been released but not applied on the targeted host. If your website is maintained by someone else, find out what they use to manage and maintain the site, and how current they maintain their tools.
  3. Don’t forget about your website. While I don’t advise CEOs to become programmers, it is critical for management to understand the risks, both reputational and operational, that your web presence presents to your members or your organization. Become familiar with the term “SQL injection,” what vulnerability to it means, why it matters, and how you can prevent your site from being a tool for hackers to execute malicious scripts against your network.
  4. Maintain perspective. At this point it isn’t known whether the recent credit union hack was actually carried out by or on behalf of ISIS, or whether it was someone playing an elaborate prank. The resulting reputational hit is similar, either way. Have a good backup plan for the possibility that disaster strikes, and be prepared.

If you have any questions or would like to discuss this further, please contact Jeff Mansir at 1.800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.