top of page

Finopotamus Exclusive: Jeremiah Fowler and the Navy FCU Data Breach

  • Writer: John San Filippo
    John San Filippo
  • Sep 29
  • 4 min read

By John San Filippo

 

In early September, it was reported through a variety of technology outlets that security researcher Jeremiah Fowler had uncovered a data breach at $180 billion Navy Federal Credit Union. Reports appeared in Bitdefender, Bank Info Security, and TechRadar, among others. However, there was minimal reporting on this in the credit union space, and what little there was only rehashed other published reports. Wondering whether there were any lessons to be learned from the incident that might be applicable to other credit unions, Finopotamus spent the ensuing time establishing direct contact with Fowler. We recently spoke with him from his home in Germany.

 

What Actually Happened at Navy Federal Credit Union?

 

Jeremiah Fowler
Jeremiah Fowler

The incident at Navy Federal Credit Union involved internal backup files that were publicly accessible on a cloud storage repository. Fowler discovered the exposed data using what is called an IoT (Internet of Things) search engine, which he describes as “Google for connected devices.” The exposed data did not contain member data, but did include “internal records that are not meant for the public to see,” he noted.

 

The files likely pertained to the credit union’s auto loan division, as Fowler saw “a lot of stuff that was geared toward auto loans.” While Navy Federal released a statement that there was “no customer data, no harm, no foul”—implying “no story here, move along”—Fowler asserted that since internal records were accessible via open-source tools, it technically counts as a breach. He stated, “I’m not an internal employee, I’m not a contractor, and if I found it, anyone else could.” Navy Federal declined comment for this article.

 

Why Data is Left Exposed

 

Fowler speculated the data exposure was likely due to human error or a misconfigured firewall, and he does not think the incident was the result of any malicious act. “A majority of data incidents happen because of simple human error,” he noted.

 

One theory offered by Fowler is that a third-party app that provided a backup service may have been involved. “With third-party applications, you have a password-protected dashboard or login. All of your files or documents have to be served to that app,” he explained. “The credit union may have dumped everything in one cloud storage repository, thinking [it was protected by] this front-loaded password. However, he notes, “it’s could still be delivered to an unsecure location.”

 

Fowler added that companies sometimes leave files open “because to configure, it’s a lot of coding and development and technical back-end work to make individual files available to exactly who they need to be available to, and still make those secure.” However, he stressed that even if a third party was involved, “That’s still your data and it still is very vital to whatever business you’re doing.”

 

Lessons for Credit Unions

 

For credit unions—from the largest to the smallest—Fowler has several key takeaways:

 

  1. You Are a Tech Company “The second you start collecting data and taking data, you’re now a tech company,” he stated, “You have to include [data security] in your operating costs to make sure that you have that.”

  2. Don’t Lose the Chain of Custody “It’s a mistake any time you lose that chain of custody and your data is out, or access to your network is out to a third-party vendor,” he noted. He advised that credit unions should have a dedicated person or persons on their team whose only job is to check open ports and investigate any questions that arise. “There is no silver bullet for cybersecurity,” he stated. “That’s something I preach all the time. It’s not if it happens, it’s when it happens.”

  3. Have a Mitigation Plan and Communication Channel Since a data incident will eventually happen, credit unions need to have a mitigation plan in place. Fowler warned: “General customer support is not trained to deal with data privacy or anything like that. But when it comes to a data breach, time is of the essence. The longer the data is exposed, the higher the chances someone else gets it.” For this reason, he added, “Not having a dedicated communications channel for data incidents is a huge mistake.”

  4. Consider a Bug Bounty Program “Most companies have moved away from bug bounty programs, which I believe is very foolish,” he told Finopotamus. A bug bounty program is a formal offer to pay a “bounty” to responsible security companies for any vulnerabilities they uncover. The problem, according to Fowler is that bounties have been reduced to almost nothing. The net result is that the bounties aren’t worthwhile for the top cybersecurity experts. He suggested that a group of smaller credit unions could participate in a bug bounty program together for software that have in common.

 

After the Notification

 

When Fowler reported the Navy Federal breach, the data was restricted “within hours of reporting it,” but he received no response from the credit union— “no thank you, no nothing.” He said that the best-practice response upon being notified of an incident is to at least acknowledge the person’s efforts. “Okay, we validated what you found. Thank you for pointing it out.”

 

According to Fowler, when Navy Federal was originally contacted by journalists, they replied, “We can’t comment about that right now.” He added, “That’s not how you answer. A better approach would be to say, ‘We’re still investigating, we’re trying to get all the answers together, and once we have a better idea of what happened, we’ll be happy to share that with you.”

 

Fowler continued: “It was bad, but could have been worse. They were lucky it was an ethical security researcher who pointed this out, and not someone from the People’s Republic or Russia.”

 
 
bottom of page