Leaked FinCEN Reports Reveal Sensitive Security DetailsSuspicious Activity Reports Reveal Tools and Techniques to Adversaries, Experts Warn
What will be the impact of the leak of investigatory documents from the U.S. Treasury Department's Financial Crimes Enforcement Network, and could hacking have been involved?
Here's what's known: Someone leaked thousands of sensitive bank documents from FinCEN to BuzzFeed, which then shared them with the International Consortium of Investigative Journalists. The documents contain extensive investigatory details, including reports of suspicious-looking activity, that are already proving embarrassing for five financial firms and their customers. And cybersecurity experts warn that the leaked information might also get tapped by hackers or fraudsters to help perpetrate - or even hide - future schemes.
The leaked documents describe how five major banks, - JPMorgan Chase, HSBC, Standard Chartered Bank, Deutsche Bank and Bank of New York Mellon - were allegedly involved in handling the flow of money between individuals and groups that may have been acting in a criminal manner, according to BuzzFeed and other media reports.
Experts note that suspicious activity reports, or SARs - which form the heart of many of the leak-derived reports being released this week by media outlets - contain a great deal of sensitive information that might be weaponized by criminals or nation-states.
SARs typically get sent by a financial institution to FinCEN to warn of potentially fraudulent banking activity.
Files from FinCEN that include SARs often contain sensitive data that could expose numerous investigative techniques, monitoring lists, watch lists and other tactics that banks and law enforcement agencies use to globally monitor and track funds, says attorney Chris Pierson, CEO of cybersecurity firm BlackCloak.
"SARs can contain information on databases used to track IP addresses, intelligence-enhancing tools, client 'know your customer' effectiveness and other tools and techniques that could allow adversaries to study this information and work around controls that were once private and now are exposed," Pierson tells Information Security Media Group.
Mark Rasch, an attorney at the law firm of Kohrman, Jackson & Krantz, says some of the first to suffer from the data being made public will be banks' customers. He notes that, as journalists and investigators begin to comb through the data, they may find some highly embarrassing information suggesting that a person or company was involved in some nefarious behavior.
While such information may at first glance look suspicious, after being investigated it may turn out to be entirely legitimate, Rasch says. But such issues remain unresolved until investigations have been completed by banks and FinCEN. And if investigations found no evidence of wrongdoing, then the matter would likely just be closed and never made public.
2,500 Leaked Documents
The reports into the leaked SARs has been more than a year in the making. BuzzFeed and the International Consortium of Investigative Journalists have been reviewing 2,500 documents leaked from FinCEN that were sent from financial institutions to the federal government between 2000 and 2017. The documents, which are required by law, inform the government of possible wrongdoing tied to transactions taking place at a bank. But such reports are not themselves evidence of wrongdoing, as the news reports have emphasized.
The BuzzFeed and International Consortium of Investigative Journalists stories claim the documents reveal the banks knew some type of fraudulent activity was taking place and allowed the money to move, thus failing to act on signs of potentially illegal activity.
On Sept. 2, FinCEN issued a statement saying it was aware that media outlets were readying the story based on unlawfully disclosed SARs, as well as other sensitive government documents. The agency also said that releasing the information would be illegal and that the matter had been referred to the U.S. Justice Department.
Leak, Hack or Data Dump?
None of the experts who spoke to ISMG about the leaks suspect the SARs were obtained via a hack attack.
Rasch says it is much more likely to have been a leak. Likewise, Ilia Kolochenko, CEO of web security firm ImmuniWeb, says a combination of a malicious insider and insufficient internal controls likely facilitated the data leak. Another possibility, however, is that this could be "a breach of a trusted third party - such as an IT supplier or even a cybersecurity vendor," he says, emphasizing that full details won't be known until FinCEN releases its incident report.
How the FinCEN information ended up in reporters' hands remains unknown. But in January, a Justice Department news release noted that ex-FinCEN employee Natalie Mayflower Sours Edwards had pleaded guilty to conspiring to unlawfully disclose suspicious activity reports.
Rasch says the leak highlights how the government may not be well prepared - from either a technical or human perspective - to protect this type of data. And the leaker, he says, likely was not someone who was very high up in FinCEN's org chart because the SARs were likely accessible to numerous employees.
Of course, banks receiving a report would limit access "to the fewest of persons at a bank and tightly controlled," Pierson says.
The leaks have already damaged the reputation of FinCEN and the banks mentioned in the SARs. But that's just the start of what will likely be more extensive fallout.
"From a cybersecurity standpoint, we may expect a growing lack of trust to governmental agencies, which on one side have quasi-unlimited access to the most sensitive data of the largest organizations, while on the other side, they cannot duly safeguard this data," Rasch says. "A transparent investigation is required to restore confidence."
FinCEN may already be attempting to get a handle on its operations and institute improvements. Last week, before news of the leaks broke, FinCEN issued a call for public comment on measures to be taken by banks to enhance the effectiveness of anti-money laundering - aka AML - programs.
"FinCEN, in collaboration with its supervisory partners, law enforcement, and, where appropriate, the financial industry, has undertaken recent initiatives to collectively re-examine the BSA regulatory framework and the broader national AML regime," according to the agency.
The only way to stop money laundering schemes is to massively increase the fines levied against banks, as well as consider harsh penalties for any CEO or CFO found to be dodging the rules," says Ori Eisen, CEO of the passwordless authentication firm Trusona.
"As long as the fine is less than the profit made, this will continue to happen," Eisen says, citing the fact that HSBC was fined $1.9 billion in 2012 over money laundering accusations, with the bank later admitting that it had poor controls in place to stop this type of behavior.
Executive Editor Mathew Schwartz contributed to this report.