First Horizon Bank Data Breach Left Customer Accounts Drained

 InfoSecurity Group magazine reported that First Horizon Bank experienced a data breach where more than 100 online customer accounts were accessed, and funds drained from them.

What Happened?

First Horizon Bank reported to the Securities and Exchange Commission (SEC) on April 28 that an amount less than $1 million was accessed and stolen from customer accounts due to an intruder breach.

How Did the Breach Occur?

Experts theorize that the attack occurred due to a brute force attack combined with vulnerabilities in the bank's internal network system. According to the SEC filing,

"Based on its ongoing investigation, the company determined that an unauthorized party had obtained login credentials from an unknown source and attempted access to customer accounts. Using the credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 online customer bank accounts, had access to personal information in those accounts, and fraudulently obtained an aggregate of less than $1 million from some of those accounts."

First Horizon Bank used to be called First Tennessee Bank, and they earn roughly $500 million per year in profits. They have since repaired the vulnerability, reset all customer passwords, and reimbursed the affected customers for their losses.

"Based on its ongoing assessment of the incident to date, the company does not believe that this event will have a material adverse effect on its business, results of operations, or financial condition," they concluded in their notice.

Hackers Targeting Banks - What is the Solution?

It's no surprise that hackers are more frequently targeting highly profitable targets like banks. The danger is less so for the corporation and more for the bank's customers.

Security experts warn that any type of financial institution needs to implement layers of security and privacy to keep the bad guys out. One security expert Timothy Chiu, VP of K2 Cyber Security, said,

"Training users on security, such as recognizing phishing and fake websites, is a start, but not enough."
"Organizations also need network, system, and application security to protect their assets.  Application security adds the final layer, protecting applications that may have unknown or unpatched vulnerabilities."

How Bank Customers Can Stay Safe

Unless you decide to store your money in your mattress, most people need to use banks. But it's hard to trust in any organization's security when companies like Microsoft and government agencies are being attacked and successfully breached daily.

Some tips for bank customers to stay safe are:

• Never reuse passwords on multiple websites. That is how this attack occurred. Credential stuffing is when hackers use stolen/breached passwords from one website on another and can successfully break-in. 
• Keep all your devices patched with the latest security updates.
• Use good, strong antivirus/anti-malware software on all your devices.
• Invest in a good password manager so you can use long, strong, un-hackable passwords.
• Diversify your money and keep some in various accounts so if any are breached, you will not be wiped out.
• Never click on links or download attachments in emails.
• Do not click links in text messages that come to you unsolicited.
• Be watchful for phishing and social engineering tactics.
• Never give out personal information such as usernames and passwords to anyone.
• Monitor all your bank statements and credit cards regularly.
• Keep a close eye on your credit report watching for identity theft, especially after a data breach.
• Turn on two-factor authentication on all your accounts so intruders cannot access your accounts without your mobile phone.

Always use common sense and if something sounds “too good to be true” it is.