Third-Party Web Manager Exposes TCM Bank Data

ICBA Bancard Inc. subsidiary TCM Bank, a company that aids community banks in issuing credit cards to their customers, announced that the personal data of thousands of people who applied for credit cards with their local banks was exposed, according to Brian Krebs. The information that was leaked between early March and mid-July 2018 included the names, addresses, dates of birth and Social Security numbers of thousands of people across the more than 750 community banks that work with TCM Bank. The leak was reportedly discovered on 16 July, then fixed the following day. TCM told KrebsonSecurity that the leak was from one of the third-party vendors that manages its website. As a network of community banks, TCM Bank handles documents filled with personally identifiable information (PII), including credit card applications. In this instance, misconfiguration – a critical application-security risk – resulted in the a leak of customer information. “Vulnerabilities and misconfigurations in websites are incredibly common, even among highly regulated financial services companies. Many businesses, across all industries, are still unaware of online business risks or have delayed taking appropriate action,” said Jessica Marie, cybersecurity evangelist at WhiteHat Security.