Cybercriminals choose their targets based on two conditions - maximum impact and maximum profit.
Financial institutions perfectly meet these conditions because they store highly valuable data, and their digital transformation efforts are creating greater opportunities for cyber attackers to access that data.
This is why the financial sector is disproportionately targeted by cybercriminals, behind healthcare.
Besides implementing a data protection solution specific to financial services, one of the best methods of mitigating data breaches is learning from the mistakes of others.
To support this effort, we've listed the 8 biggest data breaches in the financial industry, ranked by level of impact. This list is regularly refreshed to include 2021 updates.
Each event includes a summary of the key mistakes that lead to a data breach to help you avoid repeating them.
Date: August 2020
Impact: 24 million customers
A threat actor claiming to be a representative for one of Experian's clients convinced a staff member of the Experian South African office to relinquish sensitive internal data.
Experian claimed that the information that was provided was not highly-sensitive, but rather data that are commonly exchanged during the normal course of business.
According to the South African Banking Risk Information Center (SABRIC) - one of the authorities involved in investigations - 24 million customers and almost 800,000 businesses were impacted by the breach.
The following customer information was disclosed to the threat actor:
Mobile phone numbers
Home phone numbers
Places of work
Job start dates
According to Experian, the threat actor intended to use the stolen data to create marketing leads for insurance and credit-related services.
Implement cyber threat training in the workplace
The targeted Experian employee had little reason to question the authenticity of the threat actor's call. They provided all of the relevant identifying information Experian requires of its clients - Name, Surname, and RSA ID number.
This demonstrates the sophistication of modern social engineering campaigns and how unprepared staff are to contend with this cyber threat.
Humans will always be the weakest links in a cybersecurity program. To preserve security control investments, financial services must implement cyber threat awareness training in the workplace.
This training should cover how to identify fraudulent inquiries on Linkedin since this is a growing attack vector for social engineering campaigns.
Implement a data leak detection solution
On October 24, 2021, Experian became aware of a dark web post on a criminal forum containing some of the data from this breach. With the support of law enforcement, this activity was intercepted and the data deleted.
While such data leaks remain undetected, breach victims, and their impacted customers, are at an increased risk of ongoing data breaches.
By implementing a data leak detection solution, such events can be instantly detected and shut down, without wasting time waiting for external security assistance.
Date: Sep 2017
Impact: 147 million customers
The Equifax data breach was nothing short of a disaster. A string of terrible cybersecurity practices made the security breach almost too easy for cybercriminals.
There are four primary flaws that facilitated the security breach.
The company failed to patch a well-known vulnerability (CVE-2017-5638) for its Open Source developing framework - Apache Struts. At the time of the breach, the patch for CVE-2017-5638 had been available for 6 months.
Equifax failed to segment its ecosystem, so the attackers were able to seamlessly access multiple servers after gaining access through the web portal breach.
The hackers found usernames and passwords sorted in plain text, which were used to escalate privileges to achieve deeper access.
The hackers were able to exfiltrate data undetected for months because Equifax failed to renew an encryption certificate for one of their internal tools.
On top of all this, over a month had elapsed before Equifax finally publicized the breach. During this period, top executives sold company stock, giving rise to insider trading accusations.
More than 40% of the population of America was potentially impacted by the Equifax data breach.
The following data was compromised:
Dates of birth
Social security numbers
Driver's license numbers
Credit card numbers
Due to the highly sensitive nature of Personally Identifiable Information and financial information that was compromised, Equifax was fined $700 million for the breach.
Financial services companies and small businesses can learn many critical lessons from this breach.
Keep all software updated - This cyberattack could have potentially been avoided entirely if Equifax patched its development vulnerability. Information security teams should regularly reference the CVE database to remain informed of the latest software exposure. The discovery of existing, and even potential, software vulnerabilities can be automated with an attack surface monitoring solution.
Segment your ecosystem - Segment your ecosystem to obfuscate access to all sensitive resources. This effort begins with the creation of a digital footprint. Once all pathways to sensitive resources have been identified, a Zero Trust Architecture will further mitigate malicious access.
Monitor third parties - A vendor risk management platform will reveal any third-party services at a heightened risk of cyberattacks through unpatched vulnerabilities.
Implement timely data breach notification policies - Timely data breach notification is a strict requirement for financial regulations. Failure to comply could result in costly fines and even jail terms.
Date: January 2008
Impact: 100 million debit and credit card numbers
In January 2008, Russian hackers injected malware through a webform on Heartland's website, resulting in the comprised of 130 million credit and debit card numbers.
Cyberattackers used an SQL injection attack to gain access to the company's corporate network. They spent almost 6 months attempting to access resources processing credit card data.
After successfully evading anti-virus defenses, the Russian threat actors installed sniffer software to intercept credit card data in transit.
Albert Gonzales, alongside two unidentified partners, was indicted for the attack. Gonzales was sentenced to 20 years in prison.
In an attempt to rectify its fallen cyber resilience reputation, Heartland significantly upgraded its cybersecurity and boldly issued the following data breach warrant to all of its customers:
“Heartland Payment Systems is so confident in the security of its payment processing technology that, on Jan. 12, it announced a new breach warranty for its users. The warranty program will reimburse merchants for costs incurred from a data breach that involves the Heartland Secure credit card payment processing system." insert as quote?
Ironically, after this announcement, cybercriminals broke into the company's payroll office and physically stole 11 computers, resulting in the compromise of Personal Identifiable Information impacting 2,200 people.
The following data was compromised in the Heartland data breach:
Credit card numbers
Card expiration dates
The following lessons can be gleaned from the Heartland Payment Systems breach.
Regulatory compliance is not enough - Heartland was compliant with PCI DSS at the time of the incident, but it wasn't enough to prevent the data breach. Compliance should not be confused with security. Besides regulatory frameworks, organizations must implement additional cybersecurity systems that specifically address the vulnerabilities facilitating data breaches.
Implement internal security protocols - Outer-level security defenses are useless if a threat actor is able to walk away with devices housing sensitive resources. Be sure to also secure all physical inventory.
Secure all third-party systems - All of the businesses that partnered with Heartland to process their payments were impacted by this breach. This event highlights the importance of vendor risk management to prevent vulnerable third parties from turning into attack vectors.
Date: March 2019
Impact: 100 million credit card applications
Former Amazon Web Services software engineer, Paige A. Thompson, illegally accessed one of the AWS servers storing Capital One's data and stole 100 million credit card applications dating back to 2005.
It didn't take long for the FBI to identify the attacker because Thompson didn't attempt to obfuscate her connection to the event.
She used her full name when she posted the stolen data on GitHub and even openly bragged about the breach on social media.
A GitHub user sent Captial One an email to notify them of the stolen data dump.
Figure 1 - The email that notified Captial One of the stolen data dump - Source: heavy.com
Figure 2 (BLUR) - Pade Adele Thomson bragging about the breach online - Source: heavy.com
The Captial One data breach impacted approximately 100 million people in the United States and over 6 million in Canada.
The following types of sensitive data were stolen:
Social security numbers (about 140,000 records)
Canadian Social Insurance numbers (about 1 million records)
Bank account numbers (80,000)
The magnitude of compromised data classifies this event as one of the most devastating data breaches in the financial services industry.
The following lessons can be learned from the Capital One data breach:
Secure all cloud technology - This breach may not have occurred had Capital One secured its transition to cloud storage with an attack surface monitoring solution. This would have highlighted any data security vulnerabilities increasing the risk of data breaches.
Secure all firewall configurations - A misconfigured web application firewall made this breach possible. Such insecure configurations could be rapidly discovered and addressed with attack surface monitoring software.
Date: May 2019
Impact: 100 million credit card applications
More than 885 million financial and personal records linked to real estate transactions were exposed through a common website design error.
This error is known as a "Business Logic Flaw" on the FIrst American Financial Corp website. This is when a webpage link leading to sensitive information isn't protected by an authentication policy to verify user access.
This exposure was not initiated by a hacker, the vulnerability that facilitated sensitive data access was caused by an internal error - an event known as data leaks.
Though data leaks and data breaches are two different events, they both share the same potential outcome - sensitive customer information falling into the hands of cybercriminals.
The following data was compromised in the First American Corp data breach:
Phone numbers of closing agents and buyers
Armed with this information, a wide range of cybercrime is possible including:
The following lessons can be learned from the First American Financial Corp breach:
Implement code review policies - Before pushing any code live, it should be reviewed by a quality control officer.
Monitor for data leaks - A data leak detection solution will detect and shut down all internal or third-party data leaks before they're discovered by cybercriminals.
Date: October 2014
Impact: 83 million accounts
Cyberattackers, allegedly located in Brazil, managed to penetrate JP Morgans' perimeter, gain the highest level of administrative privilege and achieve root access to more than 90 of its servers.
Surprisingly, rather than leveraging available account privileges to steal financial information, only customer contact information was stolen. This very unclimactic outcome suggests the objective of the attack was to only steal specific customer details - possibly for use in future targeted cyberattacks.
The following data was compromised in the JPMorgan Chase data breach:
Internal login details for a JPMorgan employee
Learn from this breach
Investigations revealed that this breach was made possible by a very basic security vulnerability.
When JPMorgan's security team upgraded one of its network servers, they failed to implement Multi-Factor Authentication (MFA).
This event demonstrates that even the most sophisticated financial institutions are susceptible to basic lapses in cybersecurity hygiene. To detect overlooked exposures that fall through manual processes, human effort should always be supported with an attack surface monitoring solution.
Date: June 2019
Impact: 4.2 million customers
A disgruntled employee of Canada's largest credit union, Desjardins, gain unauthorized access to 4.2 million members’ data with an intent to cause harm to the company.
Investigations narrowed down the exposure to a single source, revealing the employee that was responsible.
6 months after the event, it was revealed that the breach also impacted 1.8 credit card holders outside of Desjardin's member base.
This update likely contributed to the significant jump in estimated damage costs, which rose from $70 million to $108 million.
Another contributor to the rise in damage cost was the inclusion of 5 years of free credit monitoring by Equifax in a compensation package for victims.
Equifax also suffered a data breach, but with a significantly greater impact. --> linky
The malicious employee accessed the following member data:
Social security numbers
Desjardins assures that no credit, debit or payment card numbers, passwords, or PINs were accessed in the breach.
This breach was unique in that it was not a result of cyberattacks, but an insider threat.
This category of cyber risk is the most difficult to intercept because their malicious actions could easily be mistaken for legitimate daily tasks.
It's also difficult for internal security teams to be vigilant for insider threats because they're already exceeding their bandwidth with risk management tasks.
From these insights, and the key events leading up to the beach, the following lessons can be learned:
Secure all privileged access - The Desjardins malicious insider should not have had such liberal and unmonitored access to a large personal data resource. By securing all Privileged Access Management such unauthorized access could be prevented.
Streamline Vendor Risk Management - Efficient vendor risk management practices, such as Vendor Tiering, protect security teams from overload, creating sufficient bandwidth for insider threat monitoring.
Look for signs of employee dissatisfaction - Regular internal servers or one-on-ones could highlight employee grievances before they escalate into insider threats.
Date: June 2013
Impact: 98,000 customers
This data breach occurred through PayID - Westpac's third-party provider for facilitating transfers between banks with either a mobile number or email address.
PayID operates like a phonebook. Through the PayID lookup function, anyone can confirm the details of an account holder by searching their phone number or email address.
This vulnerability made it possible for hackers to execute an enumeration attack - when brute force techniques are used to either confirm or guess valid records in a database.
When the attack was over, the hackers uncovered the banking details of 98,000 Westpac customers.
The enumeration attack exposed the following types of customer data:
Armed with these details, cybercriminals can keep retargeting victims with a broad range of phishing attacks.
Just because a Government sponsors a platform, it does not mean it's cyber resistant.
Despite warnings of potential security risks, the Australian government approved its New Payments Platform (NPP), assuring the public that fraud and security concerns were “extensively considered" when developing PayID.
The data breach that ironically eventuated after this statement demonstrates that government solutions are vulnerable to the same cyber threats as all third-party software, including dated techniques like brute force attacks.
To prevent such an incident, security controls addressing brute force attacks should be implemented.
Some examples are listed below.
Limit login attempts - Limit incorrect login attempts from a single IP address.
Use device cookies - Device cookies will block malicious login attempts coming from specific browsers.
Block suspicious logins - Block login functionality after a certain number of incorrect attempts.
Don't reveal correct credentials - Prevent login fields from confirming which specific details are correct.
Use CAPTCHAS - Choose CAPTCHAS that get progressively harder and more time-consuming with each incorrect login attempt.