06/12/2012
Regulators Tell FIS to Beef Up Security
A letter sent to Fidelity National Information Services Inc. (FIS), based in Jacksonville, Fla., is the latest evidence that regulators--including the National Credit Union Administration (NCUA)--are concerned about the security of financial and personal information that third-party processors store and the wave of data breaches in a variety of industries.
In the past two years, hackers have targeted processors such as FIS, whose breach last year involved prepaid cards; Citigroup Inc.; credit card processor Global Payments Inc.; and Epsilon Data Management LLC., an e-mail marketer. The latest breach announced this week is that of the LinkedIn social network, which compromised 6.4 million passwords. (See related story, "Restaurant chain, LinkedIn hit by breaches" in today's News Now.)
The Journal reported that NCUA saw a letter that was sent to FIS's CEO after an October 2011 examination conducted by the Federal Deposit Insurance Corp., the Federal Reserve Bank of Atlanta, and the Office of the Comptroller of the Currency. The six-page letter, which the Journal said it reviewed, outlined several security issues and centered on oversight issues involving a 2011 breach that resulted in at least $12.7 million in fraud.
The Journal also said that NCUA forwarded the letter to credit unions in March.
The NCUA, when contacted by News Now, would not verify for the record sending a letter to credit unions. However, John Zimmerman, NCUA's public affairs specialist, told News Now, "It is a longstanding interagency practice to share these reports, in this case produced by one of the banking agencies, with clients of record. We provided this information, as do the other agencies, to facilitate due diligence."
FIS, in its year-end 2011 report filed with the Securities and Exchange Commission, noted it was "the victim of a cyberattack against one of our prepaid clients on our Sunrise prepaid card platform in early 2011, which resulted in a financial loss to FIS of approximately $13 million." FIS identified information for about 7,200 prepaid accounts may have been viewed, and that three individual cardholders' information may have been disclosed. No financial institutions or their customers suffered any financial loss in that attack, the report said. The report also outlined security measures FIS has taken since the incident.
They include:
- Increased review of all servers in its environment to identify any potential impacts of the unauthorized activity and enhancing fraud monitoring and network controls;
- Re-certifying Payment Card Industry (PCI) Data Security Standard compliance of the Sunrise prepaid platform, which is required after any breach incident;
- Enhancing information security processes including creating a cross-functional team to implement enhanced transaction monitoring to detect or prevent fraudulent activity;
- Expanding risk assessment coverage and performing a risk assessment of all Internet-facing products;
- Enhancing its Information Security Strategic Plan with short-term measures to improve its information security;
- Adding a new chief information security officer with extensive security and fraud experience; and
- Improving its inventory of technology, data and information security assets worldwide.
It also increased the amount spent on information security in 2011 "and will nearly double this spend[ing] in 2012."