(Updates with comments from cyber security expert, details on breach)
NEW YORK, Oct 7 (Reuters) - Bond insurer MBIA was told two weeks ago about a server breach that compromised the data of thousands of local U.S. government entities, but it did not address the problem until earlier this week, according to the cyber security expert who discovered the intrusion.
MBIA said on Tuesday it had been notified that some client information at its Cutwater Asset Management unit may have been illegally accessed.
The company said it shut down the affected server for the now and was conducting a “thorough investigation.” It intends to take all measures necessary to protect customer data and secure its systems.
Cutwater provides investment management services to local governments for cash management purposes. Its clients include the New Hampshire Public Investment Pool and Trust Indiana. It also offers private funds for local government entities that pool their assets.
The compromised information included user names and passwords and would have allowed hackers to add users to clients’ accounts, effectively giving them access to billions of dollars in those accounts, said Bryan Seely, an independent cyber security consultant who notified MBIA on Sept. 24.
MBIA acknowledged that Seely had contacted the firm but said it believed he was trying to sell it something and decided not to respond. The firm did run a test on the company’s web sever following the contact but did not test the client connection portal at Cutwater, where the breach occurred.
The documents showed “the names of the people authorized to withdraw money, their permissions and how to add new people with just a very simple form that says the name of the person, their privileges and who authorized it,” said Seely.
The breach affected “a couple of billion” dollars in client accounts, said Seely, who said he discovered the intrusion using search tools.
The affected clients were from states including Texas, New Hampshire, Indiana, Connecticut and Louisiana. There were a few hundred to a thousand entities compromised from each state. The largest account that Seely found was for the Louisiana Asset Management Pool (LAMP), which totaled $505 million.
Around 1,000 entities have been affected in Texas alone, Seely said. “Essentially any account that Cutwater Asset Management had was breached,” he said.
MBIA said it could not comment on the nature of the data breached.
Cutwater stopped managing pooled assets for Texas municipalities last year. Tom Jordan, chief executive officer of Public Trust Advisors, which took over management of the funds, is asking Cutwater to release more information but said the data is likely old and not of value to hackers.
Seely said he left numerous messages at MBIA and sent emails on the social media site LinkedIn. He said MBIA did not respond although it had read the emails sent over the social network and had visited his profile page.
“Based on the manner in which he was contacting people, including someone who hasn’t worked for the company for the better part of 10 years, and the non-specific nature of his warnings of a problem with the MBIA website, the belief here was that he was attempting to sell us something,” said Kevin Brown, a spokesman for MBIA.
Seely said he never asked for money or offered anything for sale.
MBIA only reacted when Seely contacted independent investigative reporter Brian Krebs, who specializes in cyber security issues. Krebs said he informed MBIA on Monday before blogging about the issue on his website, KrebsOnSecurity.com.
In a letter received by New Hampshire’s banking department, Cutwater said the online system through which customers access their accounts, “appears to have been attacked,” according to the letter, seen by Reuters.
“Thus far we have seen no evidence of any suspicious or improper transactions,” though it is possible that information related to bank operating accounts or custodies may have been compromised, the letter said. (Additional reporting by Megan Davies; Editing by Meredith Mazzilli and Cynthia Osterman)
Our Standards: The Thomson Reuters Trust Principles.