Helping a bank identify customer data risks

Bank management asked Elliott Davis for help: “We have lots of data from customers applying for Paycheck Protection Program loans (PPP); is it protected? Additionally, we had a previous firm perform testing, but we need to validate their results. Can you help?”

Customer Background

• • Top nationwide lender
  • Previously had completed a cybersecurity assessment and penetration test with another firm, needed confirmation of findings
  • Needed to protect client data received through their PPP loan portal
  • Wanted to assess overall security posture of applications and systems

Our Approach

1. External Penetration Testing occurred first due to sensitivity of PPP application data.

• • Testing performed uncovered data customers submitted was not adequately protected
  • Found path to key documents that included sensitive personally identifiable information
  • Team alerted bank in afternoon with steps for remediation; IT team resolved issue following morning

2. Internal Penetration Testing completed on entire network.

• • Elliott Davis team mimicked multiple threat scenarios to demonstrate impact of findings on internal network
  • Result: Ability to capture passwords and access domains- specifically card issuance system that prints credit cards
  • Remediation path developed for Customer IT team to implement

3. Cybersecurity Assessment completed analysis of bank security posture against CIS Framework.

Customer Results

• • Identified PPP loan portal was at risk and remediated in less than 24 hours
  • Performed a complete and thorough external and internal penetration test of systems and applications; previously not fulfilled
  • Pinpointed additional areas of risk across multiple systems
  • Established clear path for remediation
  • Successfully completed assessment to help company understand cybersecurity posture

We Can Help

For more information on this and other topics related to Cybersecurity, contact a member of our team.The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.