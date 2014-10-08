(Updates with comments from cyber security expert, details on
breach)
By Edward Krudy and Hilary Russ
NEW YORK Oct 7 Bond insurer MBIA was
told two weeks ago about a server breach that compromised the
data of thousands of local U.S. government entities, but it did
not address the problem until earlier this week, according to
the cyber security expert who discovered the intrusion.
MBIA said on Tuesday it had been notified that some client
information at its Cutwater Asset Management unit may have been
illegally accessed.
The company said it shut down the affected server for the
now and was conducting a "thorough investigation." It intends to
take all measures necessary to protect customer data and secure
its systems.
Cutwater provides investment management services to local
governments for cash management purposes. Its clients include
the New Hampshire Public Investment Pool and Trust Indiana. It
also offers private funds for local government entities that
pool their assets.
The compromised information included user names and
passwords and would have allowed hackers to add users to
clients' accounts, effectively giving them access to billions of
dollars in those accounts, said Bryan Seely, an independent
cyber security consultant who notified MBIA on Sept. 24.
MBIA acknowledged that Seely had contacted the firm but said
it believed he was trying to sell it something and decided not
to respond. The firm did run a test on the company's web sever
following the contact but did not test the client connection
portal at Cutwater, where the breach occurred.
The documents showed "the names of the people authorized to
withdraw money, their permissions and how to add new people with
just a very simple form that says the name of the person, their
privileges and who authorized it," said Seely.
The breach affected "a couple of billion" dollars in client
accounts, said Seely, who said he discovered the intrusion using
search tools.
The affected clients were from states including Texas, New
Hampshire, Indiana, Connecticut and Louisiana. There were a few
hundred to a thousand entities compromised from each state. The
largest account that Seely found was for the Louisiana Asset
Management Pool (LAMP), which totaled $505 million.
Around 1,000 entities have been affected in Texas alone,
Seely said. "Essentially any account that Cutwater Asset
Management had was breached," he said.
MBIA said it could not comment on the nature of the data
breached.
Cutwater stopped managing pooled assets for Texas
municipalities last year. Tom Jordan, chief executive officer of
Public Trust Advisors, which took over management of the funds,
is asking Cutwater to release more information but said the data
is likely old and not of value to hackers.
Seely said he left numerous messages at MBIA and sent emails
on the social media site LinkedIn. He said MBIA did not respond
although it had read the emails sent over the social network and
had visited his profile page.
"Based on the manner in which he was contacting people,
including someone who hasn't worked for the company for the
better part of 10 years, and the non-specific nature of his
warnings of a problem with the MBIA website, the belief here was
that he was attempting to sell us something," said Kevin Brown,
a spokesman for MBIA.
Seely said he never asked for money or offered anything for
sale.
MBIA only reacted when Seely contacted independent
investigative reporter Brian Krebs, who specializes in cyber
security issues. Krebs said he informed MBIA on Monday before
blogging about the issue on his website, KrebsOnSecurity.com.
In a letter received by New Hampshire's banking department,
Cutwater said the online system through which customers access
their accounts, "appears to have been attacked," according to
the letter, seen by Reuters.
"Thus far we have seen no evidence of any suspicious or
improper transactions," though it is possible that information
related to bank operating accounts or custodies may have been
compromised, the letter said.
