US digital bank Dave has reported a breach of customer data after hackers gained access through a third-party technology supplier.
The banking app provider told customers that a breach at former partner, Git analytics provider Waydev, had led to the personal information of more than seven million customers being stolen. Passwords, as well as personal user information such as names, emails, birth dates, addresses and phone numbers, were included.
According to reports, Dave was not a customer of Waydev when the breach occurred and was using old OAuth (open authorisation) tokens from Waydev. OAuth is an open standard authorisation framework for token-based authorisation on the internet.
Dave said in a statement that a malicious party had claimed to have “cracked some of these passwords and is attempting to sell Dave customer data”.
The company is now working with law enforcement agencies, including the FBI, to investigate.
“Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions or unencrypted social security numbers,” it said. “We have no evidence that any unauthorised actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident.”
Dave said that when it became aware of the breach, it immediately launched an investigation, which is ongoing, and is now working with law enforcement agencies.
It said it had secured its systems quickly and had been “working around the clock” to keep customers’ accounts safe. It is currently notifying all customers about the incident and is performing a mandatory reset of all Dave customer passwords. Cyber security consultant CrowdStrike is assisting the recovery.
Saryu Nayyar, CEO at security technology supplier Gurucul, said the breach was another example of attacks that come through a third party with access to the environment. “It’s a common theme and has led to some high-profile, and expensive, breaches,” he said. “The challenge is gaining visibility into third-party environments or applications that can access your own systems.”
Mark Crichton, senior director of security product management at security supplier OneSpan, said opening up data to third parties will always increase the chances of a cyber attack. “However, banks should make sure they have the technology in place that allows them to better detect the types of fraud made possible with compromised data,” he added.
“Banks should also make sure they are only working with third parties that have appropriate security infrastructure in place, to mitigate the chance of any data being stolen.”