Friday, October 3, 2014

This Week in Bank Failures

After a doozie of a data leak this week, this time from a bank and directly affecting about half of the people in the United States, all the talk is about data security — a fitting topic for Cyber Security Awareness Month. You might have noticed that the larger data leaks don’t happen just anywhere. The tendency is for the more serious data breaches to come from government, brick-and-mortar retail chains, and financial services companies. It is not that the criminals are going where the transactions are. The biggest cluster of transactions can be found at online retailers and within the transaction network, for example at the major credit card clearinghouses, yet these companies have not had their share of data leaks. Partly, perhaps, it is because these companies see their transactions as essentially their whole business, and go to extraordinary lengths to protect them. But I believe there is something else that ties many of the data leaks together, and that is the fear of up-to-date technology. Government agencies, banks, insurance companies, retail chains, and restaurant chains have a basic reluctance about technology. They tend to fear that if they install brand-new technology, it will break something. They may also fear the effort of keeping up to date.

These are not unfounded fears. Consider Apple’s newest operating system, iOS 8, released two weeks ago, as the latest example. It was patched twice in the first week. The patches fixed serious problems — among other issues, a few older phones couldn’t get a cellular connection at all after upgrading to iOS 8.0 or 8.0.1. The few users who did upgrade to 8.0.1 had to upgrade again barely one day later, so the effort of the first upgrade was wasted. Millions of users still wonder how final the current version, 8.0.2, really is, and may wait until December or January (and perhaps version 8.1.1) before they upgrade. It’s a perfectly reasonable approach, and in the technology sector, these users are simply understood as “late adopters,” customers who really have to be impressed and reassured before they move to new technology.

Banks face the same issues, but unlike cell phone users who might hold off for a few months, banks think nothing of waiting years — 5, 10, even 15 years — before installing an upgrade. Consider that large banks, insurance companies, and the Internal Revenue Service are basically the only organizations that still run mission-critical applications on mainframe computers. Mainframes, also known as “big iron,” are the balky, expensive, and decidedly energy-inefficient room-sized computers based on technology that dates from the 1970s and early 1980s. They are used not because they are good at anything, but just out of organizational inertia. Or consider the security problems posed by ATMs, automatic teller machines. The majority of them, as the year started, ran on the obsolete operating system Windows XP. As we saw, a reluctance to keep things up to date led to enormous added costs and risks across the banking sector worldwide. This is the technology milieu in which we entrust our banking lives. Within a large bank, it may take a year-long study and five levels of management approval just to install a software patch in order to fix a bug in a server configuration. When an obsolete network component has to be replaced, the replacement may not be the latest and greatest, but the oldest version available — installing seven-year-old technology, for example, to replace ten-year-old technology. The situation is only a little better in the larger insurance companies and many retail and restaurant chains, where the worry is about upgrading so many locations while keeping everything in sync. In organizations that are so afraid of new technology, keeping up with the ever-changing demands of data security is an unenviable task. I have met a few of the people who do this work within banks, but I frankly don’t know how they do it within the draconian limitations of the hierarchical management of a bank.

You might read in the news that the entire banking sector is facing a cyberattack, but that is not really true. I believe the largest banks are targeted by criminal organizations specifically because of their out-of-date technology, and the same might be true of retail chains that take the same go-slow approach. When many of an organization’s servers run operating systems and other key components from five and ten years ago, the many known design flaws in these obsolete versions give criminals an opening to get in. In other words, large banks’ fear of breaking something by employing “new” technology from the past five years is an impediment when it comes to keeping customer data secure, and these large banks end up breaking something in a different way. The large banks shouldn’t have to look far to find out how they could be doing better. A great many banks, probably most banks but especially the medium-sized banks with roughly 10 to 50 branches and also the “new” large banks that grew past 50 branches within the last ten years or so, are doing better at keeping up with technology and keeping their data — and their customers’ data — safe.

There was a credit union liquidation this week. At the end of September, the NCUA liquidated Republic Hose Employees Federal Credit Union. It had nearly 500 members but less than $1 million in assets. It primarily served employees of two factories in Youngstown, Ohio. The NCUA is contacting members about their accounts.