Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday May 29 2020, @06:32PM   Printer-friendly
from the keep-a-close-eye-on-all-your-finances dept.

Data Breach at Bank of America:

Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP).

Client information was exposed on April 22 when the bank uploaded PPP applicants' details onto the US Small Business Administration's test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off.

The breach was revealed in a filing made by Bank of America with the California Attorney General's Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients' information.

Data exposed in the breach consisted of details relating not only to individual businesses, but also to their owners. Compromised data may have included the business address and tax identification number along with the owner's name, address, Social Security number, phone number, email address, and citizenship status.

[...] In a breach notification document, a spokesperson for the bank said: "There is no indication that your information was viewed or misused by these lenders or their vendors. And your information was not visible to other business clients applying for loans, or to the public, at any time."

[...] Bank of America is offering clients affected by the breach free two-year membership of Experian's identity theft protection program.

Disclaimer: SoylentNews PBC has an account with Bank of America, but has not made an application to the PPP. In fact, since all SoylentNews staff are volunteers and have never been paid for their services, there was never any need or reason to apply for PPP.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by bloodnok on Friday May 29 2020, @07:45PM (1 child)

    by bloodnok (2578) on Friday May 29 2020, @07:45PM (#1000709)

    Another data breach.

    The current thinking on data security seems to go like this:

    - we'll put the database in a secure part of the network
    - only the application server will be internet facing and it will live in the DMZ
    - the responsibility for data security will lie with the application
    - we don't trust the application server, that's why it's in the DMZ
    - we give the application server trusted access to the database

    Am I the only one who sees fundamental problems with this?

    How many times we have heard of crackers having access to application servers for weeks at a time? Of course there are data breaches. We cannot rely on servers in the DMZ for the implementation of data security. It has to be implemented on servers in the trusted party of your network. I know that middleware is supposed to resolve this, but most of the middleware I've come across just acts pretty much blindly on behalf of the Internet facing application server. Yes, it means that you can't run select * from customers but if the middleware lets you access 1 customer record at a time with no real verification that you *are* that customer, then all it is doing is limiting the speed of the breach, not the magnitude of it.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  

    Total Score:   4  
  • (Score: 3, Informative) by darkfeline on Friday May 29 2020, @09:37PM

    by darkfeline (1030) on Friday May 29 2020, @09:37PM (#1000785) Homepage

    That's nice and all, but completely unrelated to TFA. Bank of America uploaded real user data to a testing/dev instance that other parties had access to. Whether or not hackers had access to application servers is a moot point.

    --
    Join the SDF Public Access UNIX System today!