by Dave Moore, CISSP
10/01/2023
How would you like it if your bank sent you a letter saying you were about to become an identity theft victim and possibly lose all your money because of lousy software security that allowed criminals to steal your account information? What if your bank said the best they could do to help would be to hook you up with some third party company that might be able tell you if an identity theft had already occurred?
That pretty much sums up the letter thousands of MidFirst Bank customers around the country recently received, telling them Internet criminals had stolen files containing their names, Social Security numbers and bank account numbers, “among other information.”
In what has come to be called “The MOVEit Breach,” MidFirst joined the shameful group of at least 152 other banks whose processes were hacked when they allowed customer information to be transmitted across the Internet by third-party contractors using a flawed data-transfer program called “MOVEIt.” The flawed software allowed Internet criminals to steal their customer’s information.
Why it has taken so long for banking customers to be notified of this catastrophe is anybody’s guess. MidFirst states the theft of private information occurred at the end of May, 2023, but one letter a friend received from MidFirst notifying them their information had been stolen is dated September 6.
An international Russian-speaking cartel called “CL0p” is running the MOVEIt crime spree. Highly organized and skilled, they’ve been running ransomware attacks and other extortion schemes since at least 2019. Based in Russia, with most of their MOVEIt victims being located in the United States, Russia’s Putin regime has shown little motivation to catch the bad guys.
It’s not just banks that have been hacked. Besides the hundreds of government institutions, healthcare providers, insurance companies and other businesses, the largest group affected by far has been educational institutions, with well over 1,000 American universities and colleges involved. That comes to at least 25% of all the universities and colleges in the United States.
The list includes The University of Oklahoma, Oklahoma State University, Carl Albert State College, Eastern Oklahoma State College, Northern Oklahoma College, Rogers State University, Rose State College, Southwestern Oklahoma State University, Tulsa Community College, the University of Central Oklahoma, the University of Science and Arts of Oklahoma, Western Oklahoma State College, and probably others that I missed, as putting together a complete list of all the involved parties is extremely difficult.
The reason so many universities and colleges are affected is because many of them use the services of the National Student Clearinghouse (NCH), which provides educational reporting and verification services. NCH used the flawed MOVEIt data-transfer software which allowed the hack to occur. A letter from NCH states the stolen data includes name, date of birth, contact information, Social Security number, student ID number, and “certain school-related records.”
So far, I have found only three banks in Oklahoma hacked by the MOVEIt breach: MidFirst Bank, Security State Bank of Oklahoma, and Bank of America. Even though MidFirst offers a condolence membership with the “OnAlert identity monitoring service,” which offers a $1 million Theft Insurance policy, when I read the policy, I quickly began to see it would be almost impossible to collect for major damages the MOVEIt breach might send my way.
My best advice for today is, (1) don’t keep your money in a known hacked bank, no matter what they say, and (2) put a “Freeze” (not a “lock”) on your accounts at all four major credit bureaus (yes, there are four, not three: Experian, Equifax, Transunion and Innovis). We’ll cover more things you can do next week.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.org