Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pentagon Credit Union Database Compromised

Posted by samzenpus on from the leaking-like-a-sieve dept.

Trailrunner7 writes "The credit union used by members of the US armed forces and their families has admitted that a laptop infected with malware.was used to access a database containing the personal and financial information of customers. The Pentagon Federal Credit Union (PenFed) issued a statement to the New Hampshire Attorney General that said data, including the names, addresses, Social Security Numbers and PenFed banking and credit card account information of its members were accessed by the infected PC."

15 of 108 comments (clear)

  1. Quick... by butalearner · · Score: 2

    Any banks or credit unions not using Windows?

    1. Re:Quick... by kaptink · · Score: 2

      It's sad when your first thoughts on reading this story is 'oh another windows fail' but the sad reality is that I would bet my life that it was. Assuming I am correct, will Microsoft be held accountable?

      --
      Those who can, do. Those who cannot, sue.
    2. Re:Quick... by forkfail · · Score: 2

      Only Ye Ole Under The Mattress Bank.

      And even then, it's up to the depositor to ensure that the room is windowless...

      --
      Check your premises.
    3. Re:Quick... by butalearner · · Score: 2

      It's sad when your first thoughts on reading this story is 'oh another windows fail' but the sad reality is that I would bet my life that it was. Assuming I am correct, will Microsoft be held accountable?

      Of course Microsoft is not responsible, but also consider, had the laptop-toting person responsible been using something other than Windows, it would be highly unlikely that we would be having this discussion. It occurred to me after I posted (and after reading the article) that the laptop could have been an personal one, and it doesn't really matter what the bank is using if the guy loaded up the database on it and the malware quietly sent it elsewhere.

    4. Re:Quick... by TheRaven64 · · Score: 2

      Nope. The justification is that you can blame Microsoft. You can say to your boss 'we went with the same thing that everyone else is using' and then you don't get blamed personally.

      --
      I am TheRaven on Soylent News
  2. The weak link by nurb432 · · Score: 2

    As always, people not following proper procedures.

    --
    ---- Booth was a patriot ----
  3. I still find it crazy that... by Anonymous Coward · · Score: 4, Interesting

    I still find it crazy that systems like these don't have dedicated computers for accessing that info. Personally, I *refuse* to enter ANY kind of password into most peoples laptops, let alone access sensitive information belonging to thousands of people. Then again, no one cares about "other peoples information" until that other person is you...

  4. This what they did for me... by Anonymous Coward · · Score: 2, Interesting

    They gave me a new CC# right away, and offered two years free credit monitoring. Meh, Better than nothing I guess.

  5. Air-gap security! by SaDan · · Score: 2

    There needs to be more air-gap security implemented in systems that are as important as banks/credit unions.

    I'm not referring to the air-gap currently between the ears of whoever is in charge of their computer systems.

  6. A case for laws? by DoofusOfDeath · · Score: 2

    I wonder if there should be laws that make persons working for banks, utility companies, etc. criminally and civilly liable for violating that organization's IA rules.

    I'm talking about organizations responsible for information systems whose compromize could lead to significant public harm.

    1. Re:A case for laws? by TaoPhoenix · · Score: 2

      Only if the infected laptop shared two Justin Bieber songs with the host machine. Then we'd see the correct penalalty.

      --
      My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
  7. Re:What should I do? by v1 · · Score: 4, Insightful

    usually their first recommendation is to put a watch on your credit score, a lot of the time when a bank has a breech they offer to pay for a year or so of this service to all their members whose information may have been exposed, so you can call them and see what they are offering for safeties after the fact.

    Change your pin and password, security question, etc for this account immediately. If you have a pin or other password etc used on that account that you use in other places, you should change those other places also, as they may try to use the credentials on other accounts they can figure our are yours in other places.

    Also while you're talking with this credit union, see what they can do to adjust the 'paranoia level' on your account. That's what gets you a phonecall from them when you go on a vacation and buy a bunch of stuff and suddenly the card is getting declined. You want high paranoia on their part for awhile. There may be ways to set reasonable hard limits on charges per day etc a bit like how you can usually only pull $250 cash a day from an ATM. Set those limits temporarily as tight as you feel you can. They may have other options, ask them.

    And of course the ever-popular "consider changing banks". Do you really trust them as much with your money as you did before?

    --
    I work for the Department of Redundancy Department.
  8. This is incredibly sad. by jd · · Score: 3, Insightful

    Let's look at this.

    In short, infected devices have caused serious problems (and occasionally fatalities). The Pentagon has been subject to malware-related cyber-attacks, including (as noted in the list) serious cases of espionage, in the past. That people are (a) running devices that are open to attack, and (b) are able to connect such devices to any Pentagon network, is seriously pathetic.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  9. It's the IT, not the OS by Toe,+The · · Score: 3, Insightful

    In the end, these sorts of egregious breaches can be blamed on IT and/or management. The latter mostly in cases where they unduly restrict IT from doing their jobs properly. In other (most) cases, it is because IT wasn't on the ball with security.

    These stories come out again and again and again, and yet we still see people being allowed to do the wow-stupidest things you can imagine.

    A few simple rules for people who haven't learned from these countless news stories:

    1. Company computers should only be allowed to perform company functions, and only company computers should be allowed to access company assets.

    2. Computer users should never have more access to their own computer or to company assets than they need. And always be conservative at first, and bump up their privs later if it becomes necessary.

    3. In situations where users might have access to assets that could potentially put other people's information at risk, those users should be required to undergo some basic security training.

    I'm just typing off the top of my head (I'm sure /. can add a few more), and already I've delineated more than I see done in most operations I've seen. It is rather amazing.

    And it is extremely infuriating. These people are in charge of my assets. Increasingly all of us have to (if we want to participate in modern society) put more and more of our data into the hands of others. And again and again they prove that they don't deserve the trust we're putting in them.

  10. This is why I don't belive in Conspiracy Theories by Timmy+D+Programmer · · Score: 2

    Because let's face it, the US government can't even keep ANYTHING secret or secure. Apparently not even their darn bank accounts.

    --


    (If at first you don't succeed, do it different next time!)