WASHINGTON - The cyber consultant who discovered that Cutwater Asset Management's server for its local government investment pool clients was not secure says this is just the tip of the iceberg.
In an interview, Bryan Seely, a 32-year old Seattle-based independent cyber consultant and former Marine, said that two weeks ago he discovered that certain servers of 400 to 500 state and local governments, universities, and companies were not secure and were therefore hackable.
He said he found these sites after doing a Google search and discovering a certain grouping of words tied to 25,000 websites, which he later linked to the 400 to 500 entities. "If you find those words, you screwed up," he said.
The words show the security settings that protect the websites were not configured properly, Seely said. He doesn't think any information from the websites was stolen, but said "other people might have accessed it."
Seely said he was able to access a server at the Maryland Port Administration, which has certificates of deposit outstanding in the municipal securities market, and found visitor logs showing the names of classified individuals from the Defense Intelligence Agency.
A spokesman for MPA could not immediately provide any comments.
Seely said he notified Federal Bureau of Investigation officials, who asked him to call the Department of Homeland Security. He said he made that call but never heard back from the department.
Seely was the focus of several news articles earlier this week after he said he was able to get into the server of Cutwater, a registered investment adviser and unit of bond insurer MBIA, Inc. that is slated to be acquired by BNY Mellon Corp. early next year. He said he found detailed current and past information about several state and local government investment pool clients of the firm. MBIA/National Public Finance Guarantee Corp. has also been in the news lately for exposure to both Detroit and Puerto Rico credits.
Seely told The Bond Buyer he could have withdrawn funds from the Louisiana Asset Management Pool (LAMP) if he had wanted to. He said he found contract information, phone and fax numbers, email addresses, wiring instructions, bank account numbers and routing numbers. LAMP showed net assets of $505 million in 2002, he said. One report showed the New Orleans had a net balance of $9.9 million of sales tax revenues in an account as of September of this year.
Theodore C. Sanders, 3rd, chief executive officer of LAMP, said, "We were notified this week of a possible data breach at LAMP's external fund accountant, Cutwater Asset Management. We are monitoring the situation. We want to assure our clients that no unauthorized transactions have been made. Cutwater has hired cybersecurity forensic consultants to investigate what information was exposed. In the meantime, we are in complete control of the LAMP pool's assets through our custodian, JPMorgan Chase."
Kevin Brown, an MBIA managing director and spokesman, said, "We do not believe [Seely's] statement that he could have withdrawn funds from our system is true. There are mitigating controls in place such that even if user names and passwords were obtained, that would not be sufficient for an outside party to access."
But in a "Dear Valued Customer" email that the New Hampshire Public Deposit Investment Pool advisors received from Cutwater Tuesday morning, the firm urged them to check for "suspicious activity" in pool accounts.
"We learned today that Client Connection, the online system through which our clients can access their accounts, appears to have been attacked," the email said. "We immediately shut down Client Connection and began an investigation, which is ongoing. Thus far we have seen no evidence of any suspicious or improper transactions.
"Prior to this incident, we had installed a number of controls in Client Connection that would limit the ability of any outside party of access client funds," Cutwater wrote. "Based on our initial investigation, we are optimistic that these controls are serving their intended purpose."
Cutwater asked the department to "be alert for any suspicious activity," saying, "Even if no wrongful transactions have occurred, it is possible that client information, such as information related to your custody or bank operating account, may have been compromised."
"Client Connection will remain offline until we have made further progress in our investigation," Cutwater said.
Seely was able to see that the NHPDIP had $174 million of net assets as of Aug. 31, 2013.
Richard Arcand, a spokesman for the New Hampshire Banking Department, which regulates the NHPDIP and is also among a group of advisors to it, said, "Cutwater is responsible for managing this and we believe they are managing it appropriately."
Indiana's local government investment pool TrustINdiana is also a Cutwater client. State Treasurer Dan Huge said state officials received the same email as New Hampshire officials and have "been in daily contact with Cutwater for updates on the matter. "
"They've advised us that they have an outside cyber specialist firm doing a full review of their server, their portal and so on," said Huge, adding that neither he nor Cutwater think there have been any fraudulent transactions.
Huge said Cindy Barger, director of TrustINdiana, has notified all of the pool's members about the data breach and that until Cutwater's server is back up, the pool will use alternative methods of doing transactions such as through calls to Cutwater.
Seely said he repeatedly called MBIA about the data breach two weeks ago. Brown said MBIA officials did not respond because they thought Seely was trying to sell them something. Brown said MBIA tested a server and found nothing wrong.
But Seely claims he sent MBIA officials computer screen shots showing account information and that the insurer didn't do anything until Brian Krebs, an independent investigative reporter contacted by Seely, reached out to MBIA and blogged about the data breach on his website, KrebsonSecurity. Brown said neither MBIA nor Cutwater received any screen shots.
Brown said MBIA and Cutwater shut down the server and notified current clients Monday night and former clients on Tuesday of the data breach. He said he could not comment on when the server would be fixed and brought online again. Until then, local government investment pools will have to do transactions manually and obtain information about their accounts through calls to Cutwater, he said.
Cutwater is regulated by the Securities and Exchange Commission and Financial Industry Regulatory Authority. An SEC spokesman said the commission could not comment on the data breach and FINRA spokespersons could not be reached for comment.
But the SEC's Office of Compliance Inspections and Examinations issued a risk alert last April detailing a cybersecurity initiative to conduct examinations on cybersecurity preparedness in the securities industry. An appendix to the alert provided a sample list of questions and requests for information that OCIE would be using in the examinations of registered entities regarding cybersecurity matters. These included, among other things, a copy of the firm's written information security policy and a response as to whether the firm conducts periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences. OCIE said it also might ask if the firm as experienced any data breaches since Jan. 1, 2013.
