TCM Bank Exposed Applicant Data for 16 Months!

TCM Bank is a company that supports approximately 750 small and community U.S. banks by issuing credit cards to their account holders. But those who applied for cards between March 2017 to July 2018, may have their names, addresses, dates of birth, as well as Social Security numbers exposed due to a website misconfiguration.  This leaves thousands of people at risk.

TCM Bank is a subsidiary of Washington, D.C.-based ICBA Bancard Inc. This exposure was noticed on July 16, 2018.  The website which clients entered personal data was dealt by a third party vendor.  Once TCM was aware of the issue, they have resolved it the next following day.

Bruce Radke, an attorney working with ICBA on its breach outreach efforts to clients, stated that less than 10,000 consumers who applied for cards were affected. Radke declined to name the third-party vendor, saying TCM was contractually prohibited from doing so.

“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said. “We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”

ICBA Bancard is the payments subsidiary of the Independent Community Bankers of America, an organization representing more than 5,700 financial institutions that has been fairly vocal about holding retailers accountable for credit card breaches over the years. Last year, the ICBA sued Equifax over the big-three credit bureau’s massive data breach that exposed the Social Security numbers and other sensitive data on nearly 150 million Americans.

Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers. For instance, identity theft protection provider LifeLock recently addressed a Web site misconfiguration that exposed the email addresses of millions of customers. LifeLock’s owner Symantec later said it fixed the flaw, which it blamed on a mistake by an unnamed third-party marketing partner.

Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners. Nevertheless, organizations of all shapes and sizes need to be vigilant about making sure their partners are doing their part on security, lest third-party risk devolves into a first-party breach of customer trust.

Original Article Found Here.