Heartbleed Security Bug

Heartbleed Security Bug

On April 7, 2014, Central 1 became aware of the concerns with regard to an Internet software security flaw and immediately began an assessment to determine the impact, if any, to our services.

The affected technology, OpenSSL, is not used by MemberDirect®, thus our system has not been affected. This means that the Heartbleed bug does not pose a threat to any of the direct banking platforms including MemberDirect Online Services, MemberDirect Integrated Services, MemberDirect Mobile Services (web and apps) MemberDirect Small Business and MemberDirect Business. Central 1 has also confirmed that our CAFT application does not use the OpenSSL technology, and is therefore not vulnerable to this issue.

Central 1 maintains a variety of systems beyond MemberDirect and continues to ensure that all systems that may be vulnerable are appropriately responded to. This is happening through a systematic review and scan of each application based on order of criticality. After identification, any vulnerable systems are patched, with high priority, through our change management process. If material impacts are discovered throughout this process, you will be notified by our Computer Security Incident Response Team.

The so-called Heartbleed bug takes advantage of a software defect that allows hackers to access web-encrypted sites and potentially access users’ personal information such as bank account numbers and passwords.

It has become public that users who want to take additional precautions to protect sensitive information in their
banking and email accounts, for example, may wish to change their passwords; however they should not undertake this exercise until they have confirmation that the site or application that they are accessing has been patched to address this issue.

More info on the Heartbleed bug is available at http://heartbleed.com.