Alexei Kuzovkin, Infosoft: "Who gets the blame for customer data breach depends on how it happens"

Unfortunately, banking data breaches have become a common occurrence, although most of the times they are limited in scale. Why do they happen? Infosoft founder Alexei Kuzovkin answers this and other questions.

A massive scandal broke out in October when it was reported that Sberbank suffered a major data breach. In the beginning of the month it was reported that 60 million credit cards were compromised, and in late October Kommersant newspaper reported that it found a database on the dark web with 40 million entries containing personal data of the bank's customers.

Unfortunately, banks often suffer from data breaches, although they rarely happen at this scale. Why do they happen? What should be the liability of the bank that suffers the breach? What should and can a bank do, and what can users do to avert losses? Infosoft founder Alexei Kuzovkin answers these and other questions.

Why do banking data breaches occur in the first place?

Alexei Kuzovkin: Let's begin by defining the terms. To answer the "why" question, we have to understand that the word "breach" usually describes a number of different events. Of course, this mainly has to do with data privacy, when third parties gain access to data that only the customer and the bank are supposed to know, and neither the bank nor the customer authorized this third party to access these data.

The question here is whether this could be possible. There is a plethora of options here.

There is a detective fiction type scenario with hackers breaking into the bank's infrastructure and stealing large volumes of data. However, banks, and especially major ones, invest heavily in making these frontal attacks futile. Cyber criminals know this, focusing on targets that have fewer defenses.

The second scenario results from a data leak by an insider. This has a higher chance of occurring, although incidents of this kind are rare. The insider must have a high-level security clearance, which means that this person has a high income, and considering the risks it would not be easy to bribe him or her into committing a crime. Of course, there can be other ways of manipulating the insider, but this also entails criminal activity.

There are much cheaper and simpler methods, like carrying out malicious attacks against account and card holders (for example, by posing as the bank's customer support to trick the user), installing Trojan malware on users' devices to steal bank details, or POS skimmers, etc.

Data obtained this way is usually accumulated over a long period of time, after which it appears on the black market.

Finally, sometimes personal data operators upload personal data to third party cloud storage, which can be done for various reasons, for example, the migrating data. It may happen that they forget to create adequate protections or to delete the data once the migration is over. This happens all the time, although usually this is not done by banks.

What at the possible protections?

Alexei Kuzovkin: As I have said, banks are going to great lengths to prevent incidents of this kind from taking place by investing millions, if not billions, in defenses that enable them to detect cyber criminals and block them from accessing the bank's infrastructure. There are multiple technical and non-technical approaches to fighting fraud, including when end users are targeted.

Still, it all comes down to the irresponsible attitude of the users themselves. They, not the banks, are usually the ones who ignore safety precautions and give into the fraudsters' tricks. However, we need to understand that quite often criminal groups that target end users have professional psychologists on the payroll in order to manipulate the most experienced and savvy targets.

What kind of liability should banks assume for user data breaches? Should they reimburse their customers for losses resulting from such breaches?

Alexei Kuzovkin: In my opinion, it all depends on the source of the breach. If the hackers break through the bank's defenses and steal data from its infrastructure, the bank is of course to blame.

The bank will also bear full responsibility if it turns out that the insider stole the data, or the data security was compromised by negligent staff members.

However, if the leaked data consists of data sets that cyber criminals have been stealing or phishing from various users over a long period of time, it would be wrong to blame the bank. Banking mobile apps are usually well secured, and banks tend to raise awareness among their clients on fraud prevention. How can a bank be blamed for users not taking this advice?

Overall, I believe that the standard terms of use customers sign with their banks must stipulate what happens in case of user data breaches, the obligations of the parties to prevent this from happening, and the liability for incidents that do occur. In other words, the contract has to stipulate that the bank undertakes to secure its infrastructure and user data in a timely and effective manner, as well as secure the official digital tools enabling users to access their bank accounts.

Banks must guarantee that its mobile apps and the official website are free from any critical vulnerabilities or that they will be removed in due time. They also have to shield communication channels from cyberattacks. Advising users on cyber security could be optional. Customers, in turn, must undertake to abide by the recommended security guidelines, update their software when needed, keep track of antivirus updates, and exercise caution when receiving calls or short messages from the bank.

This is how this problem can be mitigated, at least in part.

Thank you very much