Bond insurer MBIA was told two weeks ago about a server breach that compromised the data of thousands of local U.S. government entities, but it did not address the problem until earlier this week, according to the cyber security expert who discovered the intrusion.
MBIA said on Tuesday it had been notified that some client information at its Cutwater Asset Management unit may have been illegally accessed.
The company said it shut down the affected server for the now and was conducting a "thorough investigation." It intends to take all measures necessary to protect customer data and secure its systems.
Cutwater provides investment management services to local governments for cash management purposes. Its clients include the New Hampshire Public Investment Pool and Trust Indiana. It also offers private funds for local government entities that pool their assets.
The compromised information included user names and passwords and would have allowed hackers to add users to clients' accounts, effectively giving them access to billions of dollars in those accounts, said Bryan Seely, an independent cyber security consultant who notified MBIA on Sept. 24.
MBIA acknowledged that Seely had contacted the firm but said it believed he was trying to sell it something and decided not to respond. The firm did run a test on the company's web sever following the contact but did not test the client connection portal at Cutwater, where the breach occurred.
The documents showed "the names of the people authorized to withdraw money, their permissions and how to add new people with just a very simple form that says the name of the person, their privileges and who authorized it," said Seely.
The breach affected "a couple of billion" dollars in client accounts, said Seely, who said he discovered the intrusion using search tools.
The affected clients were from states including Texas, New Hampshire, Indiana, Connecticut and Louisiana. There were a few hundred to a thousand entities compromised from each state. The largest account that Seely found was for the Louisiana Asset Management Pool (LAMP), which totaled $505 million.
Around 1,000 entities have been affected in Texas alone, Seely said. "Essentially any account that Cutwater Asset Management had was breached," he said.