I spent 25 years managing various cyber security organizations for major banks so I have some thoughts about this subject.
First, banks are incredibly regulated by multiple government agencies all telling the banks what to do as far as securing their environment is concerned. These agencies have tremendous power, including the ability to shut down banks if the government agency deems their security practices insufficient. In all honesty, our security folks were way ahead of government examiners in terms of security knowledge. What the government could do was provide intelligence about what they see in the wild as far a security attacks. One thing that was true then, and I believe it to be true today, the largest banks have much better security and security practices than the government itself. The government does things, like using products like MoveIt that the most secure banks would only use in very controlled environments and only for the least restricted data. My opinion of the US government's CISA program is it is a total joke. Maybe they are better now. But as an example, remember all the government officials using their own email accounts to conduct business? They would be fired by any major bank because the government auditors would expect that kind of policy in place!
As for the product that has been exploited, it is vulnerable to an SQL injection attack which is basically hackers messing with application queries to an SQL database to gain access to data that is typically off limits to users. Good applications are programmed to detect and reject SQL injection attempts but it appears MoveIt missed something in their testing. They have already supplied a patch for their products. Of course the damage is already done if data was stolen. Where I worked a product like MoveIt would have been on a black list. The only way to use it would have been to install it on a dedicated standalone machine firewalled off from the rest of the network and only with an exception from a senior exec and the head of security - and I did not approve these exceptions easily. It's use would have to be monitored, the data encrypted, ports restricted, and with intrusion detection in place. Most likely, customer confidential data would not be allowed to be transmitted over this software - except for the government if they asked for it.
Also, as good as banks are at security, many other private industries are really bad.
I usually don't blame software companies for these vulnerabilities because software has gotten incredibly complex, although this one sounds like a basic exploit. But again, we required our vendors to follow rigid security practices or we would not buy their stuff. We would mandate thorough vulnerability tests conducted by our team or by a vendor we trusted.
If a private company is hacked and customer data is compromised there are state and federal laws that could result in fines and other punishments. If the government is hacked and your private information is compromised there may be harsh words.
