Financial Services Company First Horizon Hit by Data Breach That Results in Stolen Customer Funds

Wednesday evening Tennessee-based bank First Horizon announced via SEC filing it had fallen victim to a data breach at the hands of an unauthorized party. The party in question leveraged stolen login credentials to exploit a vulnerability in third-party security software which the bank had deployed, and was able to compromise nearly 200 online accounts, stealing personal information along with nearly $1 million.

This incident was originally discovered earlier this month, and the company has since fixed the vulnerability which allowed for the intrusion. It also reset the passwords on accounts and is working with affected customers to create new accounts while deactivating those that were breached. All lost funds were also reimbursed.

First Horizon is currently working with law enforcement and other authorities around the breach itself, and has stated it does not expect the incident will have a negative impact on its business.


We heard from Robert Haynes, SCA and Open Source Evangelist, Checkmarx, who shared what the source of this breach could've been and what organizations need to remember when fortifying their cybersecurity posture:

“Attackers are adept at finding the weakest link. This is most frequently a human, and often results in phishing or spear phishing attacks against IT staff, as their credentials are the most useful to an attacker. Attackers will also exploit vulnerable technology, often in conjunction with illicit credentials they may have obtained. "Third party security software" could represent a wide range of technologies from VPNs (example: the recent pulse secure VPN compromise) to software libraries providing services such as One Time Passcodes (example: the bug in a Django two factor authentication plugin last year that stored passwords in plain text). Whatever the mechanism of compromise used here, it's another reminder that all organizations, but especially financial services organizations, need to consider the totality of their attack surface area, from the email security of the most senior company officer down to the smallest software library used in their applications.”


###