Cyber Incident Victim: Digital Insight
Date:
Oct 2019
Location:
United States of America
Summary
A cybersecurity incident involving Digital Insight, an online banking platform, led to temporary blocking of third-party aggregators Mint and QuickBooks after attackers exploited credential reuse to automate unauthorized account access. The attackers bypassed multi-factor authentication prompts in some cases, enabling surveillance of account balances and transactions to identify targets for fund draining. The breach facilitated fraudulent linking of victim accounts to attacker-controlled platforms through microdeposit verification methods. Platform provider NCR intervened by suspending aggregator access during its investigation, later restoring connectivity after confirming containment, highlighting systemic vulnerabilities in financial data aggregation security practices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late October 2019, NCR Corporation temporarily blocked third-party financial data aggregators Mint and QuickBooks Online from accessing its Digital Insight online banking platform, which served hundreds of financial institutions. This action followed reports from a U.S. credit union—a Digital Insight customer—of dozens of unauthorized account accesses over the preceding week. Attackers employed automated login attempts during multiple 12-hour periods, targeting accounts at intervals of five to ten minutes. The attackers exploited reused or weak online banking credentials, likely obtained from prior breaches of non-banking websites, to gain initial access. A critical vulnerability stemmed from inconsistent enforcement of multi-factor authentication (MFA) by the aggregator services: in many cases, the attackers bypassed MFA prompts entirely, accessing accounts with only usernames and passwords. This inconsistency led the credit union’s security team to suspect a compromise within Mint or QuickBooks, prompting NCR’s intervention.
NCR notified Digital Insight customers on October 25, 2019, of the suspension of aggregation capabilities for specific third-party products while investigating a reported incident involving a single user. By October 29, NCR confirmed the incident was contained and restored connectivity, attributing the attacks to increasingly aggressive methods by criminals leveraging credential reuse. The attackers used aggregator APIs to monitor account balances and transaction histories, enabling them to identify high-value targets for further exploitation. Beyond direct account takeovers, this access facilitated linking victims’ bank accounts to attacker-controlled accounts on platforms like PayPal and Zelle through microdeposit verification schemes. The incident highlighted systemic risks in banking platforms’ reliance on aggregators that bypassed MFA protocols, exposing customers even when their banks offered robust authentication measures. Financial losses and operational disruptions occurred at affected institutions, though NCR did not disclose the total number of compromised accounts or specific monetary impacts.