How orphan accounts open doors for hackers
IN THE world of cyber hacking, the bad guys are always looking for a way in.
Often they gain access via orphan accounts – user accounts on a company’s IT infrastructure not allocated to anyone any more.
Orphan accounts are common and are considered a real cyber risk.
When employees stop working, they stop getting paid. But companies are not so good at closing down their access to IT systems.
The use of third-party cloud-based systems and remote working has made the problem worse.
One of the problems with orphan accounts is they miss out on security updates.
This makes access easier, and once inside, a hacker can move through an IT system seeking out other orphan accounts that have bigger privileges.
In May 2021, a hacking group known as the DarkSide found an orphan account belonging to an employee at Colonial Pipeline.
The resulting hack caused widespread fuel shortages across the United States and cost the company a $4.4m (€4.1m) ransom.
The European Central Bank knows such attacks are an ever-present danger. In March, ECB board member Fabio Panetta gave a keynote speech warning of the proliferation of cyber threats facing EU banks and the ‘threat to the stability of the overall financial ecosystem’.
The ECB knows it’s already in a gunfight and many of its troops are not ready. The EU is implementing new cyber resilience rules that will come into effect in 2025. In the meantime, efforts are aimed at promoting cyber resilience best practice.
So just how resilient is Bank of Ireland? It is easy to find insiders in the bank who will privately speak of chaotic IT systems and poor management. But these failures are known to regulators. In February, the Data Protection Commission (DPC) fined Bank of Ireland €750,000 after individuals gained ‘unauthorised access to other people’s accounts via the BOI365 banking app’.
The DPC report confirms BOI managers knew in July 2019 that a programming error could allow others to see accounts that were not theirs on its banking app. Yet the company waited until March 2021 – a full 21 months – before doing anything about it.
In 2021, the Central Bank fined BOI €24.5m for IT failures that had been ignored since 2008. These started to be appropriately recognised and addressed only in 2015 and were not completely fixed until 2019.