Inferior database security led to the downfall of promising fintechs in 2023

  • Security and Compliance
  • 21.02.2024 09:51 am

Cybersecurity is a well-known concern for all organizations, and database security is a critical subset. Successive major news stories have emphasized the damage that data breaches can cause for any company. 

The financial cost of paying data ransom is only the tip of the iceberg. Organizations can also expect to face fines and penalties for non-compliance with data privacy regulations, and higher financial losses from class-action lawsuits brought by users whose data was compromised. On top of that, the concomitant loss of trust and brand reputation can scare away customers, partners, and revenue for a long time to come. 

Database security should already be high on the list of fintech IT leadership priorities, but the rapidly evolving landscape should push it up even further. Constantly-growing data volumes, complex distributed networks that make it more challenging to maintain visibility and perimeter defenses, increasingly strict data privacy regulations, and the ongoing shortage of skilled cybersecurity personnel, all make databases more susceptible to threats. 

Database security is particularly crucial for fintechs and other financial organizations. Financial records are among the most sensitive, exceeded only by healthcare, as breaches can be especially consequential for customers. Financial services consumers have much lower tolerance for a data breach and are likely to take flight far more quickly than those of another vertical. 

Yet database security is still alarmingly weak even in fintechs, where one might expect there to be a higher degree of awareness around the vulnerabilities of databases, servers, and data access. 

Common security provisions are, alarmingly, still not a matter of course for many fintechs. These measures might include automatic lockdown and expiry for default user accounts, regular patching, military-grade encryption, credential rotation and multi-factor authentication (MFA), real-time monitoring, web app and database firewalls, frequent pen testing, and blocking public network access to data servers. 

If every fintech company did these things, a number of data breaches could have been prevented, or at least limited in their fallout. Here’s a closer look at a few serious data incidents from 2023 and the gaps in fintech database security that made them possible. 

Direct Trading Technologies

Direct Trading Technologies is an international fintech company that offers trading platforms for stocks, foreign exchange, cryptocurrencies, indices, Contracts for Difference (CFDs), and many other securities, as well as white-label services for other fintech solutions. 

You can imagine the outcry when DTT announced that it had been leaking sensitive and trading activity data over the course of six years, a cumulative data breach that put over 300,000 DTT users at serious risk of an account takeover. The breach was due to a misconfigured web server that held multiple database backups, each containing a significant amount of sensitive information about the company's users and partners. 

It’s another example of the impact that simple human error can have. Although mistakes can happen, stronger pen testing may well have revealed this error long before it was discovered and exploited by hackers. 

Revolut 

In 2023, the story broke that Revolut had experienced losses of over $20 million over the course of several months in 2022, when hackers exploited a software vulnerability in Revolut’s payment systems. 

The vulnerability affected communication between Revolut’s European and US payment systems, with the result that Revolut used money from the bank’s own funds to refund declined transactions, rather than from the user’s account. Malicious actors were able to use this loophole to steal millions from Revolut, most of which can’t be reclaimed. 

Even though the sting continued for many months, Revolut’s security teams didn’t notice the vulnerability. It was only discovered when one of Revolut’s US-based partner banks noticed that its funds were lower than expected and alerted the company. Only then was the vulnerability spotted and closed. It’s highly likely that real-time monitoring could have detected and resolved the incident much earlier, before losses grew so high. 

Latitude Financial 

In March 2023, Australian fintech Latitude Financial notified users of an extremely serious data breach, in which hackers accessed 100,000 identification documents from one service provider and over 225,000 customer records from another. Latitude had to take its entire organization offline and stop serving customers in order to clean up its systems and restore security. 

The data breach resulted from an attack on one of its vendors which exposed the security credentials from two Latitude employees. Hackers were then able to use those credentials to log onto other service providers used for identity verification, which then gave them access to sensitive Personal Identifying Information (PII). 

Latitude could have prevented this data breach if it had encrypted PII data in storage. Using MFA instead of passwords, and restricting third-party access to sensitive data by applying stronger assessment processes, could also have avoided the incident, or at least limited its scope. 

Fiserv 

Payment processing giant Fiserv was among thousands of organizations affected by an enormous exploit of zero-day vulnerability in MOVEit file transfer technology, which is used by many fintechs and financial institutions. 

Fiserv found itself in the highly unwelcome position of having to notify its client, Michigan-headquartered Flagstar Bank, about the security incident. Flagstar, in turn, discovered that sensitive data from more than 800,000 customers had been exposed to hackers and malicious actors. 

It’s worth noting that Fiserv and Flagstar are far from being the only victims. The list exceeds 2600 organizations across numerous verticals, with data from more than 77 million people exposed as a result of the attack. If those companies had employed vulnerability scanning, they might have spotted the vulnerability before it was discovered and exploited by the ransomware group Clop, preventing such a large-scale data breach.

Database security provisions can be a matter of business life and death

As the saying goes, hindsight is 20/20. It’s easy to look back and point out the mistakes and deficiencies that led to specific data breaches. That said, when fintechs can suffer such serious ramifications from any data breach, there is no excuse not to implement every possible protection against hacking, data leaking, and unauthorized access. We hope that 2024 sees fintechs place a much brighter spotlight on database security.

Related News