Tag: customer data

Vulnerability in PNB server exposed customer data for about seven months: CyberX9

Banking & Finance

[ad_1]

Read More/Less


A vulnerability in the server of Punjab National Bank allegedly exposed the personal and financial information of its about 180 million customers for about seven months, according to cyber security firm CyberX9.

CyberX9 has claimed that the vulnerability provided access to the entire digital banking system of PNB with administrative control.

Meanwhile, the bank has confirmed the glitch but denied any exposure of critical data due to the vulnerability.

PNB said, “customer data/applications are not affected due to this” and “server has been shut down as a precautionary measure.” “Punjab National Bank kept severely compromising the security of funds, personal and financial information of over 180 million (all) its customers for about the last 7 months. PNB only woke up and fixed the vulnerability when CyberX9 discovered the vulnerability and notified PNB through CERT-In and NCIIPC,” CyberX9 founder and MD Himanshu Pathak told PTI.

He said CyberX9 research team discovered a critical security issue in PNB, leading to admin access to internal servers hence exposing a massive number of banks’ systems nationwide open for cyber-attacks for the last about seven months.

Pathak said that vulnerability was found in an exchange server interconnected with other exchanges and shares all access — including access to all email addresses, which results in access to all email addresses.

“The vulnerability which we discovered was leading to the highest level of admin privilege in PNB’s exchange servers. If you gain access to Domain Controller through an exchange server, the doors are easily open to make any computer accessible in the network.

“These computers even include those that are being used in their branches and other departments,” Pathak said.

When contacted, PNB said, the server in which the vulnerability was found had no sensitive or critical data.

“The server wherein the vulnerability was reported, was being used as one of the multiple Exchange Hybrid servers used to route emails from On-prim to Office 365 Cloud. There is no sensitive/critical data in this server,” PNB said.

PNB denied CyberX9 claim on the impact of the vulnerability on customer’s data.

“The server is in a separate VLAN segment and customer data/applications are not affected due to this. Vulnerability assessments and penetration testing is done periodically by external Cert-in empanelled Information Security Auditors and the observations are complied with.

Now this server has been shut down as a precautionary measure,” PNB said.

According to CyberX9, the vulnerability was mitigated on November 19, and it reported the incident to Indian cyber security watchdog Cert-In and National Critical Information Infrastructure Protection Centre (NCIIPC).

[ad_2]

CLICK HERE TO APPLY

Leave a comment , , , ,

Banks flag concerns over US rules on consumer data, seek govt guidance, BFSI News, ET BFSI

Banking & Finance

[ad_1]

Read More/Less


India’s banks have approached the government with their concerns over the mandatory sharing of customer details with US authorities under that country’s expanded National Defense Authorization Act (NDAA), which took effect on January 1.

A government official confirmed that the Indian Banks’ Association (IBA) has sought government intervention and guidance on the issue. Banks have pointed out that the provision will raise costs and any compliance shortfall can have serious implications.

The NDAA incorporates parts of the Combating Money Laundering, Terrorist Financing, and Counterfeiting Act of 2019, significantly enhancing the reach of authorities over foreign banks if they have a correspondent account with an American financial institution.

It allows the Department of Justice and the Department of Treasury to subpoena records of such a foreign bank. Importantly, this provision can be invoked without regard to whether the correspondent account was used for potential violation of US law or not.

Application will be Selective, Feel Bankers
The correspondent bank accounts of US financial institutions first came under watch through the US Patriot Act of 2001 to prevent money laundering and terror financing. “The banks have raised some concerns which are being looked at. The issues will also be discussed with the Reserve Bank of India and accordingly any decision will be taken,” said the official cited above.

Although Indian banks are compliant with the Foreign Account Tax Compliance Act (Fatca), Indian regulators should guide banks on the provisions of the NDAA that apply to them, experts said.

  • Banks raise concerns about customer confidentiality, data privacy and national security
  • Reach out to the govt through IBA
  • Banks already compliant with Fatca regulation
  • Govt to engage with regulator RBI on issue
  • Regulations allow US govt to subpoena foreign-located bank data if foreign bank has a US correspondent account

“This amendment will result in additional overheads on foreign banks that have correspondent accounts in the US for responding to any subpoenas with the risk of noncompliance being both financial penalty as well termination of correspondent relationships that essentially may cause loss of business share,” said Jaikrishnan G, partner, financial services consulting, Grant Thornton Bharat.According to Jaikrishnan, Indian banks that have correspondent accounts with banks in the US will need to consolidate and limit such accounts within the US to balance business volumes with compliance costs and legal exposure. “Banks will need to strengthen transaction scrutiny on such correspondent accounts to safeguard themselves against potential involvement in such investigations,” he said.

Bankers are of the view that the application of this amended provision will be selective and only relevant in cases where there is court intervention. “But clarity is needed and that is why we have approached the government,” said a bank executive aware of the developments.



[ad_2]

CLICK HERE TO APPLY

Leave a comment , , , , ,