Security researchers and cybersecurity experts recently discovered a weakness in Fiserv’s web platform, which may have exposed the personal and financial details of customers across hundreds of internet banking sites. The flaw involved a messaging platform used by Fiserv to send account alerts to customers of Fiserv-affiliated banks. These alerts can be set up to notify the customer of certain events, such as when a balance passes a threshold. Someone noticed that the alert was provided in the form of a link to a web page having a numeric event identifier in the web address, like 17835. They found that by changing the number they could access an alert for another customer. So, for example, by simply changing 17835 to 17836 and leaving the rest of the web address the same, the user could access an alert for another customer. This would show the user another customer’s email address, phone number, and the last four digits of the customer’s bank account number in addition to allowing the user to view and even edit alerts setup by the other customer. The user could even edit the email address or phone numbers where the other customer’s alerts would be sent. Fiserv has reportedly addressed this flaw by making the messages no longer sequential, replacing the event identifier number with a pseudo-random string of characters.

KrebsOnSecurity made this discovery public today. Data security breaches are key risk areas for businesses, and an effective breach management process can help minimize that risk. While there are still many unanswered questions, we anticipate many banks and financial services organizations who utilize the Fiserv platform may receive questions from customers, users, investors and, possibly, regulators. Organizations who may be at risk should consider engaging their Incident Response Team to review any abnormal log-ins and conduct an internal investigation. In addition, organizations should review their vendor services agreements (including those with Fiserv) to determine who is ultimately responsible for data security incidents.