The final report of the FDIC's investigation of a security breach at payments processor FIS found it worse than previously thought, according to a noted security blog.

Brian Krebs is a former Washington Post reporter whose blog, Krebs on Security, is highly regarded in the information security community.

Krebs reports that “[t]he disclosure highlights a shocking lack of basic security protections throughout one of the nation's largest financial services providers.”

When FDIC first brought the breach to light in the second quarter of 2011, the Jacksonville, Fla.-based payments processor and core software vender said the breach had been limited to only its prepaid card division, and the NCUA warned credit unions to evaluate their relationship with the major cards processor.

Krebs now quotes an FDIC investigators report that far more was actually compromised.

The fraudsters used the hacked information to clone prepaid cards and withdraw $13 million from ATMs in Europe, Krebs said, and more exposure has now been reported.

“'The initial findings have identified many additional servers exposed by the attackers; and many more instances of the malware exploits utilized in the network intrusions of 2011, which were never properly identified or assessed,” Krebs quoted the FDIC examiners writing in a report from October 2012.

He said the FDIC sent the report to hundreds of banks last week.

“As a result, FIS management now recognizes that the security breach events of 2011 were not just a pre-paid card fraud event, as originally maintained, but rather are that of a broader network intrusion,” Krebs said the report said.

Further, Krebs quoted the deposits insurer as documenting that the payments processor had spent $100 million to fix the security weaknesses, but left some key security problems in place, at  least as long as one year later.

“The FDIC noted that FIS routinely uses blank or default passwords on numerous production systems and network devices, even though these were some of the same weaknesses that 'contributed to the speed and ease with which attackers transgressed and exposed FIS systems during the 2011 network intrusion,'” Krebs quoted from the report.

Quoting additionally, “[m]any FIS systems remain configured with default passwords, no passwords, non-complex passwords, and non-expiring passwords,” and adding the quote “Enterprise vulnerability scans in November 2012, noted over 10,000 instances of default passwords in use within the FIS environment.”

One possible bit of good news for credit unions comes in what the report may not say.  Although Krebs reports that the FDIC found breaches to be widespread at the firm, he does not list card services as one of the parts of the firm that was breached. 

If FDIC investigators found little or no evidence of widespread security breaches at the FIS card services division, this might mean that the part of the company used by the majority of credit unions remained at least more secure than the rest.

FDIC declined to comment or elaborate on the report, stating initially that it had not been sent then allowing that a similar report would have been shared with banks. 

Card Services for Credit Unions, the association of credit unions that process at least some of their card transactions with FIS, has not yet commented.

Meanwhile, in its statement, FIS chose to focus on the positive changes it says it has made since the breach, citing the $100 million spent that Krebs also highlighted and criticized.

“Over the past two years, FIS has made improvements of more than $100 million as part of our goal to provide best-in-class information security and risk management to each of our 14,000-plus clients,” FIS said through its public relations firm, adding:

“FIS management and board have taken notable actions on the previously cited areas requiring improvement and the sustainability of these improvements and have continued to accelerate the pace of enhancements throughout the organization. We have prioritized our efforts to focus first on those initiatives that lessen the risk exposure of our clients.

“We have been very transparent with our clients and shareholders and have openly, accurately and regularly communicated these initiatives, our progress and results to our clients and shareholders through meetings, monthly updates, quarterly public disclosures, board materials, educational webinars, and more.”