The Fifth Third Bank Breach - Banks and Insider Threats
In this week’s briefing, we will have a look at a breach affecting a relatively minor Ohio bank. While this case does not have much impact by itself, it can serve as an example of the challenges faced by small size yet high-value targets.
Cincinnati based Fifth Third bank confirmed last week that some of its employees had been stealing and passing on customer data. The recipients of the data were outsiders to the company, the police are currently investigating the suspected culprits, and the associated employees have now been fired. No information is available on the number of victims affected or the kind of data breached.
So with all of these details missing, why are we dedicating a full briefing to this breach? Because it is emblematic of the struggles affecting smaller enterprises with high-value targets and the never-ending struggle against insider threats.
When someone that is a member of the target organization works - either alone or in cooperation with outside accomplices or buyers - to subvert the information security safeguards of said organization, the attack is called an insider attack.
Insiders are notoriously hard to protect against since they usually have at least some access to IT systems and their presence in most locations won’t raise any alarms. They also know the systems and processes well. As such, they can operate with much more precision and indemnity than external attackers can.
Motivations for insider attacks vary widely. Common scenarios include a disgruntled insider aiming to damage their organization, a malicious insider aiming to directly derive financial gain for themselves, or a bribed insider being enticed into performing certain actions by external attackers.
The issue with small, high-value targets
Fifth Third Bank is the 16th largest bank in the US. This makes it a very attractive target for attackers. At the same time, their size likely causes issues when attracting talent. As we have covered in previous briefings, the available talent pool for information security work cannot keep up with the demand.
Small but highly technical companies can entice potential hires with interesting work and learning opportunities. Very large companies can offer high pay and other perks to attract talent. Very small companies or companies with no interesting digital assets often coast by under the radar of attackers. But (relatively) smaller companies with high-value assets find themselves in a bind. They cannot compete on money, perks or work-content, which often means they struggle in the talent market to attract the people they need to secure their systems.
Insider threats are a hard problem to solve for any organization. In combination with the difficulty relatively small organizations face when trying to attract talent, this creates an attack vector that is almost impossible to defend against for many organizations.