Case Study: Helping a bank identify customer data risks

Bank management asked Elliott Davis for help:

“We have lots of data from customers applying for Paycheck Protection Program loans (PPP); is it protected? Additionally, we had a previous firm perform testing, but we need to validate their results. Can you help?”

 

Customer Background

    • Top nationwide lender
    • Previously had completed a cybersecurity assessment and penetration test with another firm, needed confirmation of findings
    • Needed to protect client data received through their PPP loan portal
    • Wanted to assess overall security posture of applications and systems

 

Our Approach

1. External Penetration Testing occurred first due to sensitivity of PPP application data.

    • Testing performed uncovered data customers submitted was not adequately protected
    • Found path to key documents that included sensitive personally identifiable information
    • Team alerted bank in afternoon with steps for remediation; IT team resolved issue following morning

2. Internal Penetration Testing completed on entire network.

    • Elliott Davis team mimicked multiple threat scenarios to demonstrate impact of findings on internal network
    • Result: Ability to capture passwords and access domains- specifically card issuance system that prints credit cards
    • Remediation path developed for Customer IT team to implement

3. Cybersecurity Assessment completed analysis of bank security posture against CIS Framework.

 

Customer Results

    • Identified PPP loan portal was at risk and remediated in less than 24 hours
    • Performed a complete and thorough external and internal penetration test of systems and applications; previously not fulfilled
    • Pinpointed additional areas of risk across multiple systems
    • Established clear path for remediation
    • Successfully completed assessment to help company understand cybersecurity posture

 

We Can Help

For more information on this and other topics related to Cybersecurity, contact a member of our team.

 

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.