Vendor Risk Management: Urgent Issue for Small Finance BanksExposure of Jana Small Finance Bank Data by Vendor Highlights Third-Party Risks
The recent data breach that exposed information on 2.6 million customers of Bangalore-based Jana Small Finance Bank points to the need for banks to ramp up their vendor risk management efforts, security analysts say.
See Also: 2021: A Cybersecurity Odyssey
A data breach at the bank, which serves 4 million customers across India, was brought to light when the consultancy Security Discovery reported on July 23 that data on 2.6 million bank customers had been exposed through a third-party wallet platform vendor's server that was not adequately protected by a password.
Security Discovery researcher Jeremiah Fowler discovered the exposed database on May 26. The data exposed in the unprotected Elastic database includes client PII, wallet IDs, usernames, emails, account and transaction data, full history records, IP addresses, and the entire "KYC" (Know Your Customer) package, including Aadhaar numbers and other customer IDs.
Ashwin Khorana, CIO at Jana Small Finance Bank, tells Information Security Media Group: "Our vendor used this data [that was exposed] for testing purposes. It belonged to our Wallet business, which we are out of since 2018." He declined to identify the vendor involved.
He acknowledges, however, that it's critical for banks to have stronger management and control measure in place to avoid leaks of data in rest from vendor managed environments .
Breaches stemming from third-party risks are a serious risk for small finance banks that rely on vendors for many services because they lack their own resources.
Bengaluru-based Ratan Jyoti, CISO at Ujjivan Small Finance Bank, notes: "Since these banks integrate with third parties for all their services, including payment services, fintech companies for innovative products, cloud services, micro finance and lending services, etc., the security risks are going to rise if the third-party security posture is weak and not governed properly."
The 12 RBI-licensed small finance banks in India extend basic banking services to farmers, micro and small industries and others through high-tech/low cost operations. The Jana incident is a wake-up call to ensure that a stringent risk assessment framework is built before outsourcing services to a third-party vendor.
Damage to Reputation
Breaches caused by vendors can damage a bank's reputation, Khorana acknowledges.
"As soon as the data availability got highlighted by Security Discovery team, the bank security team identified the source of leak which was a vendor managed server on the cloud. The vendor was instructed to delete the test data and shut down the server instance. The vendor has been issued a legal notice for not protecting and deleting the data after the job was completed in January 2018," he added.
The bank has also reported the matter to CERT-In and RBI, he added.
A similar data exposure incident was reported last year. Customer data at Thrissur-based ESAF Microfinance, a small finance bank, was allegedly hacked by the group SERGEANT Phre4k, which accessed a third-party vendor platform.
According to a threat researcher, the group gained control of ESAF's network by logging into the vendor's server and then exfiltrated customer data, which was posted on pastebin.com.
Bangalore-based C.N. Shashidhar, CEO at SecureIT Consulting Services LLP, says it's difficult for small banks to adequately assess the whether third-party vendors are adequately securing customer data.
"Most of them fail to assess the risk posture that vendors bring in, and hence such breaches cannot be ruled out, he says. "In case of Jana Bank breach also, the researcher used a simple open-source tool search engine to access the vendor's nonsecure server."
Ramping Up Vendor Risk Management
To beef up its effort in managing third parties, Jana Bank, had altered its outsourcing model in April 2018. This model provides better governance and control of its data, Khorana says.
"Our new partners are Wipro, Cognizant, Precision and Clover Technologies.Their teams are stationed in our office premises to work with Bank's security team for deploying any kind of technologies or tools in protecting data and supporting us," Khorana says.
Khorana adds: "We have signed stringent SLAs with our data center partners as well and conduct periodic audits and vulnerability assessments and pen tests.
Jyoti of Ujjivan Small Finance Bank says vendor risk management must involve "analyzing all possible gaps in the security posture of the vendor as a pre-on boarding risk assessment strategy."
He recommends banks adopt a "security by design" approach and take steps to analyze the entire application and security life cycle of their vendor partners.