Outcomes - Selected Case Summaries

Categories

 

Malware attack on electronic payment system

Informal Resolution | 31 August 2021

An electronic payment system owned by six retail banks was informed of a malware attack on its main service provider, Prism Services. We were notified while the full parameters of the breach were still being investigated by a reputable cybersecurity firm under whose guidance containment actions were taken and suitable technical measures were put in place. Each of the affected banks reported the breach to us independently.

The attack was attributed to malware designed to deploy cryptocurrency mining software on infected systems. The breach was not discovered until several months after the intrusion. We were concerned that, at the time of the intrusion, vulnerabilities existed that had not been patched. Fortunately, we also determined that no personal data appeared to have been impacted. Our recommendations included updating server and client operating systems and applications with the latest patches, improving threat detection and prevention for the network and endpoints, and ongoing vulnerability testing and assessments.