A popular Internet security blog revealed last night that unknown hackers compromised Coast Central Credit Union’s website at the end of last year, installing a backdoor that gave them access to internal files and data on the site until yesterday.
However, officials say they are “confident” that the hackers would not have been able to penetrate the credit union’s online banking system, which employs additional layers of authentication that the website’s attackers would not have been able to crack.
“The website is completely separate from the online banking information, which is intentional,” Dean Hart, Coast Central’s vice president of marketing and communication, told the Outpost this morning.
“There are multiple levels of security to make sure that the online banking was not compromised. And we’re very confident.”
Hart said that Coast Central briefly took its website offline yesterday, after it was notified of the breach, and did not put it up again until the backdoor had been removed. In the meanwhile, users were given a separate link that allowed them to continue to access online banking features.
In his post on the breach, cybersecurity journalist Brian Krebs tells the story of how he discovered that someone had inserted a “web shell” onto the Coast Central site, allowing them to run access files, run data queries or otherwise commandeer the site for malicious purposes. Krebs writes that he was the one to notify the credit union of the breach, and that after a few days he was able to get through to someone who took the matter seriously.
But Dean wished to underscore that the hack affected only the public-facing, informational portion of the Coast Central website. Attackers would not have been able to access online banking data – account information, money transfers, or anything of that sort – through the breach.
What information the hackers did access – if they did access anything – is still unknown. Hart said that the credit union has contracted with a nationally known cybersecurity firm with a stellar national reputation, to conduct a forensic audit to determine what information the hackers may have received, if any, and how such attacks can be prevented in the future.