MBIA Inc suffers huge data breachTurn and Twist
MBIA, Inc. is a financial services company and USA’s largest bond insurer. It was founded in 1973 as the Municipal Bond Insurance Association. It is headquartered in Armonk, New York, and has approximately 400 employees. As of now the MBIA Inc management or the security team does not have any idea of how many customers data may have been leaked/stolen due to the above exfiltration attempt. They are also not sure as to how long the server breach existed. The company stated that it had learned of the problem from an outside computer expert Monday. So far, the spokesman said, there was no evidence of suspicious or improper transactions in customer accounts.
Turn and Twist
The outside computer expert happens to be Brian Krebs of KrebsOnSecurity. In a separate blogpost, Brian stated that the entire data breach was due to a server side misconfiguration discovered by a security analyst, Bryan Seely of Seely Security. Brian stated that when notified about the breach, MBIA Inc. quickly disabled the vulnerable site — mbiaweb.com. mbiaweb contain customer information of its sister concern Cutwater Asset Management. Incidentally Cutwater Asset Management is being acquired by BNY Mellon Corp. Bryan Seely of Seely Security discovered the exposed data using Google search engine. Seely said the data was exposed thanks to a poorly configured Oracle Reports database server. Seely said that this type of database server is configured to serve information only to authorized personnel who have valid login credentials and are accessing the data from within a trusted, private network. However the misconfiguration meant that the data was wide open for everyone and Google indexed the data as a part of its search activities. Worse yet, Seely noted, that misconfiguration also exposed an Oracle reports diagnostics page that included the username and password that would grant access to nearly all of the customer account data on the server. However the question remains that how can the customers affected by this data breach be made to understand the utter idiocracy on part of MBIA Inc management/security team has somehow made their confidential information available everywhere to everyone via Google. Resource KrebOnSecurity