On April 7, 2014, security researchers announced they had uncovered a bug or flaw in a key safety feature of the Internet -- OpenSSL software. It is called the Heartbleed Bug. This software is one of the key technologies used to encrypt data transactions online.
P&C Bank and the company that manages our Online Banking system, First Data, has no indication that this vulnerability has been used against our Online Banking system. Please see the message from First Data below.
First Data continues to conduct thorough evaluations of our products to ensure all precautions have been taken in relation to the HeartBleed bug.
We use a combination of cyber intelligence and industry leading technology to regularly scan for vulnerabilities. In addition, First Data employs a 24/7 cyber security staff dedicated to detecting and responding to potential threats to our security.
First Data does use OpenSSL in some areas of our infrastructure; however the majority of those areas do not leverage the vulnerable version. Some of the systems that were running the vulnerable version were behind additional mitigating layers of infrastructure that prevent the vulnerability from being exploited, leaving only a small subset that were actually vulnerable and accessible from the Internet
Due to the criticality of this vulnerability, we responded immediately and began patching within hours of the announcement about the bug.
Using a risk-based approach to prioritize our remediation activities; we have thoughtfully analyzed our infrastructure, and focused our efforts on applications and products in the following order:
- Internet accessible where the bug could be successfully accessed
- Internet accessible, but protected by other infrastructure and security layers that do not allow the bug to be accessed directly (i.e., systems are behind load balancers that do not support heartbeat features)
- Applications hosted within First Data’s internal network, non-internet facing, or where business to business networks are leveraged. (i.e., leased line or private networks)
As it relates to our first priority, we successfully patched the majority of systems within 48 hours of the vulnerability being announced, and completed those efforts globally this afternoon.
After patching the affected systems, out of an abundance of caution, we completed resets of user credentials as needed, and certificates and private keys have been reissued and replaced. We will take additional precautionary measures if needed. We also recommended that all users of the Rewards GUI product change their passwords for this application.
We are continuing to move forward with remediating the systems noted in the second and third categories above and are prioritizing those efforts accordingly
In addition, as part of our Third Party Compliance program, we are actively evaluating our third party business partners to ensure they also are taking appropriate actions to remediate any exposure to this vulnerability immediately.