FinTech, Healthcare & SaaS Need Non-Human Identity Management More Than Ever Before

Though every organization is susceptible to data breaches, those in FinTech, Healthcare, and SaaS are particularly vulnerable to attacks due to the high volume of data they possess. It's all the more necessary for these organizations to secure their digital estate end-to-end. Identity & access management (IAM), authorization policies, and observability tools are required to enforce security. But with the proliferation of microservices, distributed architectures, numerous vendor and partner integrations, as well as open-source components, the digital supply chain has become more vast and complex than ever. This requires a purpose-built security solution that addresses the new needs of organizations in these sectors, to which Non-human identity management has risen to meet.

Let's dive deeper, by looking at recent data breaches in each of these three sectors, beginning with FinTech.

Breach examples in FinTech

The term 'FinTech' includes a range of organizations such as banks, non-banking financial institutions, stock trading platforms, insurance firms, and even government and international financial bodies. The IMF estimates that FinTech companies have lost a combined $12B over the past 2 decades due to cyber attacks.

The reason for FinTech's vulnerability is clear - money is at stake most directly in FinTech companies. They possess large sums of customer funds that attackers would go to any length to get their hands on. The rewards are big, and the getaway path could be simple.

Prudential Insurance exposes data of 2.5M customers

The personal data of 2.5M customers of Prudential Insurance was compromised due to a ransomware attack. This is when an attacker gains access to an organization's internal systems, and installs ransomware software that watches and collects information about the system and functions under the radar. This breach started as the attackers gained access via the leaked credentials of employee and contractor accounts. These could have been human user accounts, or software credentials like access tokens, and API keys.

Ransomware group Alphv/BlackCat, a well-known group in the RaaS (Ransomware as a service) community, was identified as the attacker. In addition to performing attacks themselves, they also provide all the tools and resources required for anyone to carry out ransomware attacks on their own. Options like this are making cyberattacks more accessible to anyone with a computer.

Bank of America & Fidelity affected by the same breach

BoA, one of the largest banks in the US, had the data of 57,000 customers stolen and incurred a loss of $30M. This wasn't the end of the attack as it had a ripple effect on another financial services organization - Fidelity. The Fidelity attack led to the theft of 28,000 customers' data.

The origins of this attack were again tied to third parties who could gain unauthorized entry into BoA's systems. Partners, vendors, and other third-parties often have overly permissive permissions for their accounts and this is misused by them or an attacker from the outside. These privileges need to be revoked at the earliest for FinTech organizations to be secure.

Breach examples in healthcare

Healthcare organizations may not handle as much money as their FinTech counterparts, but they operate in a priceless domain - human lives. Any disruption to their services has a material impact on patients' lives. Even if not for disruption in treatment, the private and personal data of patients is exposed.

Healthcare has tried to become modernized with the help of the Internet and SaaS applications. They're fast-replacing their legacy on-premises systems with modern cloud-based ones in a push to become more patient-centric, better centralized as an institution, and to lower IT costs. However, this has only made them easier targets for cyber attacks. Healthcare institutions have paid greater ransoms with each passing year with the average ransom payout going from $5k in 2022 to $1.5M in 2023.

Here are some examples of healthcare security gone wrong:

1. Lurie Children's Hospital loses medical records of its child patients

The nationally acclaimed Chicago-based Lurie Children's Hospital suffered a major breach that forced it to completely shut down the entire network for a period of time. Some patients who required surgery were left hanging about when their surgery would take place. Surgeons were not confident to perform surgeries with lost or incomplete medical records of their patients. Some patients had paper records and could get treated as normal, but that wasn't the case for all patients.

2. Coronalab exposes the personal data of millions of Dutch nationals

With the onset of COVID-19, many healthcare providers were in a rush to set up online apps and databases that gather and store patient data in the cloud. However, much of this infrastructure needed more security then they were built with. One example of this is the Dutch COVID testing company, Coronalab, which tested and held the data of 1.3M Dutch citizens, including some records of citizens of other countries. Coronalab had a misconfigured, read passwordless, Google Cloud storage bucket that anyone with the path to the bucket coil access. This single misconfigured non-human identity caused the entire data breach.

There were many other such data breaches such as Harvard Pilgrim Health Network which led to the exposure of 2.8M people's personal information, and pharma giant Cencore which reported a data exfiltration incident that affected 250k people.

Data breaches in SaaS

SaaS applications are the norm today - from Gmail to Amazon, Uber & Netflix - we use SaaS applications on a daily basis and cannot live without them. However, the shift from on-premises to SaaS has introduced new threats that are massive in scale. SaaS applications have the most number of users - sometimes in the billions as is the case with Gmail and other big-tech SaaS apps. SaaS apps rely on other SaaS apps. This makes it easy for attackers to move laterally to neighboring SaaS applications. Attacks like Solarwinds and Snowflake show the potential for a single attack to spill over to thousands of organizations.

1. Ticketmaster compromises 560M users' data

Ticketmaster is the world's biggest seller of event tickets. They were in the spotlight for all the wrong reasons recently as they became a victim of a data breach that compromised 560M users' data. This event caused a stir globally as the data of many countries' citizens was involved in the breach. Interestingly, this breach was an offshoot of an earlier breach of Snowflake, the data storage and analysis company. The attackers have demanded a ransom of $500k.

2. WordPress plugin puts 5M websites at risk

The world's biggest website creation and CMS platform had one of its free plugins - Litespeed Cache plugin - compromised. This allowed attackers to create an admin account and take over any website that used the free plugin. The plugin had about 5M active installs at the time of the breach, and only about 3M websites downloaded the patch after the breach. This still leaves about 2M websites at risk.

Ticketmaster and WordPress are just 2 examples of the power of SaaS applications that operate in the cloud and at scale. They make it easy to build and distribute software globally. However, with this power also comes the increased risk of being attacked and compromising the security of all users within the SaaS system.

The aftermath of a data breach

Let's look at what's at stake for organizations that are victims of a data breach.

Loss of company reputation & customers

The biggest loss for the organization is the loss of its reputation and customers' trust. This is especially true for organizations in the FinTech and healthcare industries. Why would anyone entrust an organization with their money if they have a history of losing data or customers' funds? Why would anyone put their lives in the care of an organization that has a history of losing its patients' medical records? Some organizations are big enough to weather a huge security threat, but many SMBs can be brought to their knees by just a single attack.

Customer privacy & safety

Most data breaches in FinTech and Healthcare organizations end up losing the records of their customers. This could be name, email ID, address, phone number, social security number, credit card details, bank account details, political affiliations, email passwords, and more. Once stolen and sold, it's anyone's guess what sinister purposes the data can be used for.

Financial loss & ransom

For organizations caught in a ransomware attack, the amounts demanded are growing to figures as high as the millions. In many cases, it's not just the organization's but their customers' funds that are irreversibly lost. This is common in crypto-related attacks.

Ripple effects on other organizations

Cyber attacks today are more widespread because organizations are intricately connected to each other in the digital world. For example, the attack on Snowflake had ripple effects on Santander Bank, and Ticketmaster as mentioned above. The true effects of a data breach are not fully known at the time it takes place. Often, a single breach can continue to propagate even years after its start.

Now that we've discussed the challenges of securing FinTech, healthcare, and SaaS organizations in detail, let's look at how to do this.

Organizations need to be capable enough to protect their own data

Organizations in FinTech, healthcare, and SaaS need to be strategic and intentional about security. They need clear ownership for security across teams, as far up as the CISO. As they use cloud platforms and on-premise infrastructure alongside each other, they need processes that can span these hybrid infrastructures. This includes setting up end-to-end IAM for human users using tools like Okta and Active Directory.

However, this is only a starting point. The real challenge is to secure a much larger number of non-human identities in the organization's systems. Non-human identity management solutions like Entro have risen to address this challenge. It then layers on the critical context on each non-human identity such as:

• Who created it?
• When was it created?
• What resources does it secure?
• Which vault is it stored in?
• When was it last rotated?
• Is there any suspicious activity around it?
• Are there any active threats?
• Are there any reports of new breaches on the dark web?
• Is there a recent breach that could potentially affect your organization?

Organizations need to protect their customers' data

Customer data is often stored in storage buckets in the cloud. These buckets need to be secured with non-human identities:

• Every storage bucket must be configured with a non-human identity
• The non-human identity must be created using a vault provisioned by the organization
• Which location or availability zone the storage bucket must be created in
• Which roles/employees are allowed to create storage buckets
• Any suspicious activity related to the non-human identities or storage buckets
• Customer data should be encrypted at rest and in transit
• If there are signs of a breach, which secrets need to be revoked or rotated?

Things are changing fast for FinTech, healthcare, and SaaS. With new possibilities come new threats to these organizations and their customers. By being aware of the risks, and taking measures to protect themselves, these organizations can get the best of both worlds - take advantage of new technologies, and build trust with customers along the way. Non-human identity management solutions like Entro are key to realizing this future.

Note: This article, contributed by Itzik, draws on his 15+ years of R&D and management experience. Starting as a DevOps engineer in the IDF, Itzik advanced to managing R&D teams at organizations like Microsoft and Maccabi, where he served as CISO. After witnessing breaches involving non-human identities, he co-founded Entro Security in 2021 with Adam Cheriki. Entro is the first end-to-end platform for managing non-human identities and secrets, automating their lifecycle and ensuring secure usage.