TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, between early March 2017 and mid-July 2018
TCM Bank, a subsidiary of ICBA Bancard, serves as a trusted advisor to community banks, it serves as a direct issuer of credit cards for more than 750 small and community U.S. banks who prefer not to issue cards themselves.
TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, including names, addresses, dates of birth and Social Security numbers.
“In a letter being mailed to affected customers today, TCM said the information exposed was data that card applicants uploaded to a Web site managed by a third party vendor.” wrote the popular investigator Brian Krebs.
“TCM said it learned of the issue on July 16, 2018, and had the problem fixed by the following day.”
Thousands of people who applied for cards between early March 2017 and mid-July 2018 were affected by the incident.
The company notified the incident to the affected customers via email, data exposed belongs to card applicants uploaded to a Web site managed by a third party vendor.
The attorney Bruce Radke who is helping TCM confirmed that the number of affected customers is less than 10,000.
“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said.
“We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”
Businesses have to carefully review the level of security implemented by their partners to avoid those third-party incidents could have a significant impact on their operations.
“Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers.” concludes Krebs.
“Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners”
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.