Postbank, the South African Post Office Bank, has suffered a major internal security breach, serving to underscore the ever-present threat of insider data theft. According to an investigation by the local newspaper Sunday Times earlier this month, Postbank is being forced to replace some 12 million bank cards at a cost of $58 million after insiders compromised the personal data of millions of account holders, including social grant beneficiaries, by copying a master key.
How the internal security breach unfolded
An internal security breach, the cyberattack was carried out by rogue employees who copied the encryption master key in plain unencrypted digital language at one of Postbank’s data centers in Pretoria city center, according to the investigation.
The master key, a 36-digit code, gave the hackers near free reign over the account holder’s Postbank accounts, allowing them to access the bank’s systems, account balances and even to reset bank cards entirely.
All in all, the internal security breach affected between eight million and 10 million beneficiaries who rely on the Postbank service to receive their social grants at the end of each month, according to the Sunday Times investigation. The bank has yet to clarify whether or not the grant beneficiaries affected will receive their stolen money back at all, according to a number of independent reports.
According to the investigation, the leak of the master key took place as early as December 2018, with Postbank only fully ascertaining the scale of the fraud one year later, in December of last year. There, the bank discovered that some 25,000 fraudulent transactions had taken plane on its systems amounting to $3.25 million in damages.
According to Saryu Nayyar, the chief executive at cybersecurity firm Gurucul, Postbank is at the center of a web of corruption, with multiple members of the organization being complicit in the attack. “The corruption at this bank was coordinated across multiple bank managers and VIPs,” he contested.
“The insider threat is not always a lone wolf. As we see here, it can be a team of insiders who band together to orchestrate a coordinated effort to exfiltrate data or IP,” added Nayyar.
Posbank’s internal security breach may come to have far-reaching ramifications indeed. As a subsidiary of the South African Post Office, the state-owned bank enjoys a reputable position within the country’s financial services sector. However, after suffering its recent internal security breach, Postbank’s reliance on outdated security systems such as the use of a master key were exposed, leaving the bank as a prime target of large-scale fraud.
Master key: Trouble and opportunity
Postbank’s internal security breach exposes the inherent vulnerabilities of organizations to insider theft, particularly with regards to the potential loss of an encrypted master key.
According to Nayyar, privileged access to a master key can provide the potential for widespread corruption and risk of falling victim to a similar attack.
“When it comes to insider threats, insiders with privilege inflict the most damage,” he said. “If you’re not securing your sensitive data from insider threats, you’re missing the single most detrimental threat vector: crooked employees,” added Nayyar.
Nayyar’s view is largely supported by Anurag Kahol, the CTO at cloud security firm Bitglass. According to him, while hacking and malware remain the most common causes of data breaches, Postbank’s internal security breach demonstrates that defending against insider threats “needs to be top of mind for companies”.
“Insider threats are often difficult to identify and remediate because these attacks usually involve the use of legitimate credentials,” explained Kahol. “In this case, rogue employees seized the bank’s master key that allows the holder to decrypt the bank’s operations, modify banking systems and more.”
As a result, says Kahol, malicious user activity tends to be mistaken for legitimate user activity, allowing such vulnerabilities to go under the radar for long periods of time. In turn, in order to be secure against an internal security breach, companies should have full visibility and control over their sharing permissions, he added.
“Enterprises should employ advanced solutions that authenticate employees’ identities, detect anomalous activity, and address additional mobile security threats,” Kahol pointed out, adding that this can be achieved by leveraging authentication methods such as single sign-on, multi-factor authentication and user entity behavior analytics.
Chris Hickman, chief security officer at digital identity security vendor Keyfactor, added to the sentiment, pointing out his belief that Postbank’s breach serves as a reminder of the “catastrophic consequences” that even a single compromised key can have on an organization. However, unlike Nayyar and Kahol, Hickman believes that there is hope yet for cryptographic keys, so long as they are properly managed and audited.
According to him, as things stand, most organizations lack the necessary means to effectively manage cryptographic keys. “Rarely do breaches and compromises happen to assets that are constantly monitored and watched; it’s those assets not being managed that most commonly lead to breach,” explained Hickman.
“Proper key management has risen past the level of simply serving as a checkbox on a security questionnaire,” he went on. “It is, and will continue to be, a business-critical, strategic initiative. Put simply: the investment in key management is a drop in the bucket compared to the business, brand and financial cost of a breach or compromise.”