It is not known how many accounts were exposed or how long the data was at risk. But one of the security analysts said the information could have impacted hundreds if not thousands of customers and been publicly available for years.
MBIA, which guarantees payments to bondholders in case their bonds goes sour, declined to confirm or deny that the information was exposed online by its subsidiary. But company spokesperson Kevin Brown said the company has contacted current clients about the data leak Monday evening and was reaching out to past clients throughout Tuesday.
"We have been notified that certain information related to clients of MBIA's asset management subsidiary, Cutwater Asset Management, may have been illegally accessed,” Brown told the Washington Post. “We are conducting a thorough investigation and will take all measures necessary to protect our customers' data, secure our systems, and preserve evidence for law enforcement." On its Web site, Cutwater states it manages $23 billion in assets.
Independent security researcher Bryan Seely of Seely Security, who along with cybersecurity researchers at Rhino Security Lab discovered the issue, said the leak was the result of a mistakenly configured Oracle Reports database server which spewed information meant to be confined behind the digital walls of a trusted private network onto the Internet at large.
The data leaks were first reported by investigative journalist Brian Krebs, who runs the Web site krebsonsecurity.com.
Sensitive client data including account numbers, balances, and even a page listing administrative credentials was laid bare and made accessible by search engines, according to Krebs and Seely. The documents included the forms and detailed instructions on how to add new bank accounts for deposits in some cases, Seely said.
This type of information is potentially more sensitive than credit card accounts, which are generally backed by banks in the case of fraudulent activity. MBIA's leak could have been used to compromise millions of dollars in investments, said Seely.
The exposure must have gone unnoticed by malicious hackers, otherwise it would have already been exploited, Seely contended. "It could have very easily been discovered by someone else without scruples," Seely said, likening the incident to a bank vault door left wide open.
When Seely attempted to contact MBIA about the issue, the company wouldn’t return his calls, he said. Screenshots Seely shared with the Washington Post appear to show him reaching out to a member of MBIA’s leadership two weeks ago on LinkedIn to explain the problem, but he did not get a response. Brown confirmed that Seely repeatedly contacted MBIA about the issue, but said the company believed Seely was attempting to sell them a service despite explicit statements to the contrary in Seely's messages.
The weakness in the Oracle Reports database identified by Seely is a well-known one in technology circles. In fact, Oracle identified it and provided a patch in 2012. But it is not known whether MBIA applied that fix to its systems — the company declined comment on that matter. Other firms and organizations have also encountered the issue. In September, Seely told CNN that the flaw exposed sensitive personal information about students at major universities and some government agencies.
"MBIA was the most egregious of the finds because it showed account numbers and authorized signers on accounts," among other things, Seely said.