MBS insurer breach leaves customer info searchable on Google

by Ryan Smith08 Oct 2014
A data leak at the country’s largest bond insurer left the account numbers of its customers – both individuals and municipal governments – accessible by a simple Google search.

A subsidiary of MBIA, which insures mortgage-backed securities and municipal bonds, accidentally exposed client data, including account numbers and balances, according to a Washington Post report.

The MBIA subsidiary, Cutwater Asset Management, manages $23 billion in assets. MBIA spokesman Kevin Brown told the Post that the company had been reaching out to clients regarding the exposure.

“We have been notified that certain information related to clients of MBIA's asset management subsidiary, Cutwater Asset Management, may have been illegally accessed,” Brown told the Post. “We are conducting a thorough investigation and will take all measures necessary to protect our customers' data, secure our systems, and preserve evidence for law enforcement.”

But security researcher Bryan Seely, who discovered the leak, told the Post that when he tried to contact MBIA about the breach, the company refused to return his calls. Seely said the breach was even worse than leaks of credit card data, since credit cards are generally insured by banks against fraudulent activity. This kind of breach, Seely said, could have been exploited to compromise millions of dollars in investments.

The fact that it wasn’t exploited is probably pure luck, he said.

“It could have very easily been discovered by someone else without scruples,” Seely told the Post.



Should CFPB have more supervision over credit agencies?