TCM Bank data leak: Credit card issuer exposes thousands of applicants' information for over a year

• Leaked data included applicants' names, addresses, dates of birth and Social Security numbers.
• People who applied for cards between early March 2017 and mid-July 2018 were impacted by the incident.

Credit card issuer TCM Bank exposed the personal and sensitive details of thousands of people who applied for credit cards for more than a year. The firm, which helps over 750 small and community US banks issue credit cards to account holders, said applicant data was exposed via a misconfigured website managed by a third party vendor.

Compromised data included applicant names, addresses, dates of birth and Social Security numbers.

TCM said it was made aware of the issue on July 16, 2018 and resolved the issue the next day. The company said its own website was not impacted in the incident.

People who applied for cards between early March 2017 and mid-July 2018 were impacted by the incident. According to Bruce Radke, an attorney working with TCM, fewer than 10,000 credit card applicants were affected in the incident.

TCM is a subsidiary of ICBA Bancard Inc that helps community banks offer credit card options to their customers with respective bank-branded cards. TCM itself partners with more than 750 financial institutions across the US, offering its credit card services to over 300,000 customers, according to its website.

Who was the third-party vendor?

The third party vendor responsible for managing the misconfigured site was not named by TCM citing they were "contractually prohibited" from doing so.

“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said. “We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”

Third-party risk on the rise

Security Brian Krebs, who was the first to report the issue, notes that the incident is yet another reminder of third-party risks.

"Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information," Krebs wrote in a blog post. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers.

"Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners. Nevertheless, organizations of all shapes and sizes need to be vigilant about making sure their partners are doing their part on security, lest third-party risk devolves into a first-party breach of customer trust."