A consumer data leak involving Money Lover brings cybersecurity front and center for FIs

The news: Financial management app Money Lover’s recent data breach highlights financial institutions’ (FIs’) worst nightmare when partnering with third-party vendors.

What’s the risk? Ethical hackers from cybersecurity firm Trustwave—people whose job it is to test firms’ cybersecurity measures—were able to use tools available on all web browsers to easily access Money Lover consumers’ email addresses, digital wallet names, and transaction IDs.

• According to American Banker, the email addresses belonged to customers who shared digital wallets to manage shared expenses between peers. No passwords or login credentials were found in the leaked information, so customers’ accounts were not accessible.
• But the sensitive information made consumers more vulnerable to attacks like spear-phishing, in which hackers use legitimate-looking emails to entice consumers to click a malicious link or engage in other financially risky behaviors.

Shady fix: Trustwave employees discovered the sensitive data on November 24. They say they promptly notified Finsify, the company that maintains the Money Lover app. What happened after is worrisome.

• Finsify didn’t respond initially, Trustwave says, so Trustwave employees reached out again to the app manager via Facebook Messenger. Finsify finally responded on Facebook, and Trustwave shared the technical details.
• After explaining how the information was accessible, Trustwave says it didn’t receive any progress update on remediation. Trustwave began preparing a statement to share with Money Lover users to let them know their personal data wasn’t safe.
• It wasn’t until January 27 that Trustwave was no longer able to access the sensitive information. It still hasn’t received any word from Finsify.

Though consumers’ accounts were arguably secure throughout the duration of the leak, the alleged lack of response and lengthy delay in patching the data leak should be a wake-up call for financial institutions partnering with third-party tech providers: They need to make sure they know who they’re doing business with.

Why is this important? As consumers’ financial lives become more digitized, they’re demanding a better customer experience that consolidates all of their financial accounts, products and services in one place. But this opens a can of cybersecurity worms for FIs.

Open banking is progressing due to consumers’ demands, and though regulators are working to implement it safely, it still raises concerns.

• FIs are hesitant to share their customers’ financial data, not only because of its business value, but also because they can’t control where it ends up.
• Ensuring consumers have complete control over data sharing is one way to rectify this, but still puts consumers at risk. Many don’t have the time and resources to investigate third-party vendors themselves—they trust their FI to do that.

What should banks do? Bank-fintech partnerships have been top of mind recently. It’s the cheapest and fastest way for banks to upgrade their tech stack, but the details of the partnership must be iron-clad.

• Banks should conduct intense due diligence checks before partnering and during the relationship to ensure API connections are air-tight.
• They should also clearly delineate responsibilities between themselves and the fintech partner to prevent a blame game from happening if something goes wrong.

This article originally appeared in Insider Intelligence’s Banking Innovation Briefing—a daily recap of top stories reshaping the banking industry. Subscribe to have more hard-hitting takeaways delivered to your inbox daily.

• Are you a client? Click here to subscribe.
• Want to learn more about how you can benefit from our expert analysis? Click here.