A fascinating cybercrime story about an "unlimited operation" in New York involving the theft of debit card information from payment processors, and the resulting theft of $45 Million from thousands of ATMs by an international gang of hackers broke yesterday. What makes this story interesting is not necessarily the level of sophistication of the attack (most of the technologies used have probably been around for some time), but that it involves both cybercrime (data theft and manipulation of financial data) and good old fashioned in-person ATM withdrawals to monetize the data theft.
So far, it is unclear from the story exactly how the hackers gained access to the debit card information, or how they eliminated the withdrawal limits of the debit cards involved. One could imagine a low and slow data theft campaign that stole a few debit card numbers at a time to remain undetected. Instead, this story is a perfect example to illustrate the innovation hackers employ to turn data theft into financial gain. It doesn't always have to be high-tech from beginning to end. Sometimes all it takes is good organizational skills.
One thing is clear, regardless of what method these hackers utilized to get their hands on this financial data or modify the banking systems, sophisticated DLP (Data Loss Prevention) technology would have kept sensitive financial data secure and detect even innovative attempts of hackers to steal confidential data. These DLP technologies include solutions such as Drip DLP to protect against low and slow data theft attempts, the ability to detect data theft utilizing custom encryption, or OCR (Optical Character Recognition) to detect attempts to steal sensitive data contained in image files such as JPEGs, or GIFs.
Financial institutions (and other industries dealing with sensitive data) need to be adequately prepared against attempts to steal their data. The risks and costs associated with deploying outdated or weak DLP technology are much higher than the $45 Million stolen in this instance. How much would the loss of sensitive data cost your organization in lost revenue, legal fees, customer churn, and bad press?