Cybercriminals choose their targets based on two conditions - maximum impact and maximum profit.
Financial institutions perfectly meet these conditions because they store highly valuable data, and their digital transformation efforts are creating greater opportunities for cyber attackers to access that data. This is why the financial sector is disproportionately targeted by cybercriminals, behind healthcare.
Besides implementing a data protection solution specific to financial services, one of the best methods of mitigating data breaches is learning from the mistakes of others.
Learn how UpGuard simplifies Vendor Risk Management >
To support this effort, we've listed the 10 biggest data breaches in the financial industry, ranked by level of impact. This list is regularly refreshed to include critical 2022 events around the world in major countries like the US, UK, Australia, China, and many more.
The 10 Biggest Data Breaches in the Finance Sector
Each record includes a summary of the key mistakes that lead to a data breach to help you avoid repeating them.
1. First American Financial Corp Data Breach
Date: May 2019
Impact: 885 million credit card applications
How did the data breach occur?
More than 885 million financial and personal records linked to real estate transactions were exposed through a common website design error.
This error is known as a "Business Logic Flaw" on the FIrst American Financial Corp website. This is when a webpage link leading to sensitive information isn't protected by an authentication policy to verify user access.
This exposure was not initiated by a hacker, the vulnerability that facilitated sensitive data access was caused by an internal error - an event known as data leaks.
Though data leaks and data breaches are two different events, they both share the same potential outcome - sensitive customer information falling into the hands of cybercriminals.
What data was compromised?
The following data was compromised in the First American Corp data breach:
- Names
- Email addresses
- Phone numbers of closing agents and buyers
Armed with this information, a wide range of cybercrime is possible including:
- Identity theft
- Ransomware attacks
- Malware injections
Learn from this breach:
The following lessons can be learned from the First American Financial Corp breach:
- Implement code review policies - Before pushing any code live, it should be reviewed by a quality control officer.
- Monitor for data leaks - A data leak detection solution will detect and shut down all internal or third-party data leaks before they're discovered by cybercriminals.
2. Equifax Data Breach
Date: Sep 2017
Impact: 147 million customers
How did the data breach occur?
The Equifax data breach was nothing short of a disaster. A string of terrible cybersecurity practices made the security breach almost too easy for cybercriminals.
There are four primary flaws that facilitated the security breach.
- The company failed to patch a well-known vulnerability (CVE-2017-5638) for its Open Source developing framework - Apache Struts. At the time of the breach, the patch for CVE-2017-5638 had been available for 6 months.
- Equifax failed to segment its ecosystem, so the attackers were able to seamlessly access multiple servers after gaining access through the web portal breach.
- The hackers found usernames and passwords sorted in plain text, which were used to escalate privileges to achieve deeper access.
- The hackers were able to exfiltrate data undetected for months because Equifax failed to renew an encryption certificate for one of their internal tools.
On top of all this, over a month had elapsed before Equifax finally publicized the breach. During this period, top executives sold company stock, giving rise to insider trading accusations.
What data was compromised?
More than 40% of the population of America was potentially impacted by the Equifax data breach.
The following data was compromised:
- Names
- Dates of birth
- Social security numbers
- Driver's license numbers
- Credit card numbers
Due to the highly sensitive nature of Personally Identifiable Information (PII) and financial information that was compromised, Equifax was fined $700 million for the breach.
Learn from this breach:
Financial services companies and small businesses can learn many critical lessons from this breach.
- Keep all software updated - This cyberattack could have potentially been avoided entirely if Equifax patched its development vulnerability. Information security teams should regularly reference the CVE database to remain informed of the latest software exposure. The discovery of existing, and even potential, software vulnerabilities can be automated with an attack surface monitoring solution.
- Segment your ecosystem - Segment your ecosystem to obfuscate access to all sensitive resources. This effort begins with the creation of a digital footprint. Once all pathways to sensitive resources have been identified, a Zero Trust Architecture will further mitigate malicious access.
- Monitor third parties - A vendor risk management platform will reveal any third-party services at a heightened risk of cyberattacks through unpatched vulnerabilities. Learn how financial services can effectively manage third-party risk.
- Implement timely data breach notification policies - Timely data breach notification is a strict requirement for financial regulations. Failure to comply could result in costly fines and even jail terms.
3. Heartland Payment Systems Data Breach
Date: January 2008
Impact: 130 million debit and credit card numbers
How did the data breach occur?
In January 2008, Russian hackers injected malware through a webform on Heartland's website, resulting in the comprised of 130 million credit and debit card numbers.
Cyberattackers used an SQL injection attack to gain access to the company's corporate network. They spent almost 6 months attempting to access resources processing credit card data.
After successfully evading anti-virus defenses, the Russian threat actors installed sniffer software to intercept credit card data in transit.
Albert Gonzales, alongside two unidentified partners, was indicted for the attack. Gonzales was sentenced to 20 years in prison.
In an attempt to rectify its fallen cyber resilience reputation, Heartland significantly upgraded its cybersecurity and boldly issued the following data breach warrant to all of its customers:
“Heartland Payment Systems is so confident in the security of its payment processing technology that, on Jan. 12, it announced a new breach warranty for its users. The warranty program will reimburse merchants for costs incurred from a data breach that involves the Heartland Secure credit card payment processing system." insert as quote?
Ironically, after this announcement, cybercriminals broke into the company's payroll office and physically stole 11 computers, resulting in the compromise of Personal Identifiable Information impacting 2,200 people.
What data was compromised?
The following data was compromised in the Heartland data breach:
- Credit card numbers
- Card expiration dates
- Cardholder names
Learn from this breach:
The following lessons can be gleaned from the Heartland Payment Systems breach.
- Regulatory compliance is not enough - Heartland was compliant with PCI DSS at the time of the incident, but it wasn't enough to prevent the data breach. Compliance should not be confused with security. Besides regulatory frameworks, organizations must implement additional cybersecurity systems that specifically address the vulnerabilities facilitating data breaches.
- Implement internal security protocols - Outer-level security defenses are useless if a threat actor is able to walk away with devices housing sensitive resources. Be sure to also secure all physical inventory.
- Secure all third-party systems - All of the businesses that partnered with Heartland to process their payments were impacted by this breach. This event highlights the importance of vendor risk management to prevent vulnerable third parties from turning into attack vectors.
Learn the features of the best cyber risk remediation product for financial services >
4. Capital One Data Breach
Date: March 2019
Impact: 100 million credit card applications
How did the data breach occur?
Former Amazon Web Services software engineer, Paige A. Thompson, illegally accessed one of the AWS servers storing Capital One's data and stole 100 million credit card applications dating back to 2005.
It didn't take long for the FBI to identify the attacker because Thompson didn't attempt to obfuscate her connection to the event.
She used her full name when she posted the stolen data on GitHub and even openly bragged about the breach on social media.
A GitHub user sent Captial One an email to notify them of the stolen data dump.
What data was compromised?
The Captial One data breach impacted approximately 100 million people in the United States and over 6 million in Canada.
The following types of sensitive data were stolen:
- Social security numbers (about 140,000 records)
- Canadian Social Insurance numbers (about 1 million records)
- Bank account numbers (80,000)
The magnitude of compromised data classifies this event as one of the most devastating data breaches in the financial services industry.
Learn from this breach:
The following lessons can be learned from the Capital One data breach:
- Secure all cloud technology - This breach may not have occurred had Capital One secured its transition to cloud storage with an attack surface monitoring solution. This would have highlighted any data security vulnerabilities increasing the risk of data breaches.
- Secure all firewall configurations - A misconfigured web application firewall made this breach possible. Such insecure configurations could be rapidly discovered and addressed with attack surface monitoring software.
5. JPMorgan Chase Data Breach
Date: October 2014
Impact: 83 million accounts
How did the data breach occur?
Cyberattackers, allegedly located in Brazil, managed to penetrate JP Morgans' perimeter, gain the highest level of administrative privilege and achieve root access to more than 90 of its servers.
Surprisingly, rather than leveraging available account privileges to steal financial information, only customer contact information was stolen. This very unclimactic outcome suggests the objective of the attack was to only steal specific customer details - possibly for use in future targeted cyberattacks.
What data was compromised?
The following data was compromised in the JPMorgan Chase data breach:
- Internal login details for a JPMorgan employee
- Customer names
- Email addresses
- Phone numbers
Learn from this breach:
Investigations revealed that this breach was made possible by a very basic security vulnerability.
When JPMorgan's security team upgraded one of its network servers, they failed to implement Multi-Factor Authentication (MFA).
This event demonstrates that even the most sophisticated financial institutions are susceptible to basic lapses in cybersecurity hygiene. To detect overlooked exposures that fall through manual processes, human effort should always be supported with an attack surface monitoring solution.
6. Experian
Date: August 2020
Impact: 24 million customers
How did the data breach occur?
A threat actor claiming to be a representative for one of Experian's clients convinced a staff member of the Experian South African office to relinquish sensitive internal data.
Experian claimed that the information that was provided was not highly-sensitive, but rather data that are commonly exchanged during the normal course of business.
According to the South African Banking Risk Information Center (SABRIC) - one of the authorities involved in investigations - 24 million customers and almost 800,000 businesses were impacted by the breach.
What data was compromised?
The following customer information was disclosed to the threat actor:
- Mobile phone numbers
- Home phone numbers
- Work numbers
- Email addresses
- Residential addresses
- Places of work
- Work addresses
- Job titles
- Job start dates
According to Experian, the threat actor intended to use the stolen data to create marketing leads for insurance and credit-related services.
Learn from this breach:
Implement cyber threat training in the workplace
The targeted Experian employee had little reason to question the authenticity of the threat actor's call. They provided all of the relevant identifying information Experian requires of its clients - Name, Surname, and RSA ID number.
This demonstrates the sophistication of modern social engineering campaigns and how unprepared staff are to contend with this cyber threat.
Humans will always be the weakest links in a cybersecurity program. To preserve security control investments, financial services must implement cyber threat awareness training in the workplace.
This training should cover how to identify fraudulent inquiries on Linkedin since this is a growing attack vector for social engineering campaigns.
Learn about the biggest cyber threats affecting financial institutions.
Implement a data leak detection solution
On October 24, 2021, Experian became aware of a dark web post on a criminal forum containing some of the data from this breach. With the support of law enforcement, this activity was intercepted and the data deleted.
While such data leaks remain undetected, breach victims, and their impacted customers, are at an increased risk of ongoing data breaches.
By implementing a data leak detection solution, such events can be instantly detected and shut down, without wasting time waiting for external security assistance.
7. Block
Date: Apr 2022
Impact: 8.2 million employees
How did the data breach occur?
A Square (now known as Block) employee downloaded reports detailing customer information without permission. It’s estimated that about 8.2 million current and former customers were included in the report.
What data was compromised?
The report included the following information.
- Full names
- Brokerage account numbers
- Brokerage portfolio values
- Brokerage portfolio holdings
- Stock trading activity for one trading day
Block said that sensitive information, such as passwords, social security numbers, and payment card information, was not compromised in the breach.
Learn from this breach:
An inside threat caused this breach while managing processes included in their day-to-day tasks. Because permission escalation was not required, this incident would have been difficult to detect with conventional insider threat monitoring strategies.
Detecting potential malicious efforts within the purview of an employee's permissible processes requires a highly-targeted and customized approach.
Click here to request your free instant security score.
8. Desjardins Group
Date: June 2019
Impact: 4.2 million customers
How did the data breach occur?
A disgruntled employee of Canada's largest credit union, Desjardins, gain unauthorized access to 4.2 million members’ data with an intent to cause harm to the company.
Investigations narrowed down the exposure to a single source, revealing the employee that was responsible.
6 months after the event, it was revealed that the breach also impacted 1.8 credit card holders outside of Desjardin's member base.
This update likely contributed to the significant jump in estimated damage costs, which rose from $70 million to $108 million.
Another contributor to the rise in damage cost was the inclusion of 5 years of free credit monitoring by Equifax in a compensation package for victims.
Equifax also suffered a data breach, but with a significantly greater impact (see above).
What data was compromised?
The malicious employee accessed the following member data:
- Social security numbers
- Names
- Email addresses
- Transaction records
Desjardins assures that no credit, debit or payment card numbers, passwords, or PINs were accessed in the breach.
Learn from this breach:
This breach was unique in that it was not a result of cyberattacks, but an insider threat.
This category of cyber risk is the most difficult to intercept because their malicious actions could easily be mistaken for legitimate daily tasks.
It's also difficult for internal security teams to be vigilant for insider threats because they're already exceeding their bandwidth with risk management tasks.
From these insights, and the key events leading up to the beach, the following lessons can be learned:
- Secure all privileged access - The Desjardins malicious insider should not have had such liberal and unmonitored access to a large personal data resource. By securing all Privileged Access Management such unauthorized access could be prevented.
- Streamline Vendor Risk Management - Efficient Vendor Risk Management practices, such as Vendor Tiering, protect security teams from overload, creating sufficient bandwidth for insider threat monitoring.
- Look for signs of employee dissatisfaction - Regular internal servers or one-on-ones could highlight employee grievances before they escalate into insider threats.
9. Westpac Banking Corporation
Date: June 2013
Impact: 98,000 customers
How did the data breach occur?
This data breach occurred through PayID - Westpac's third-party provider for facilitating transfers between banks with either a mobile number or email address.
PayID operates like a phonebook. Through the PayID lookup function, anyone can confirm the details of an account holder by searching their phone number or email address.
This vulnerability made it possible for hackers to execute an enumeration attack - when brute force techniques are used to either confirm or guess valid records in a database.
When the attack was over, the hackers uncovered the banking details of 98,000 Westpac customers.
What data was compromised?
The enumeration attack exposed the following types of customer data:
- Full names
- Email addresses
- Phone numbers
- Account information
Armed with these details, cybercriminals can keep retargeting victims with a broad range of phishing attacks.
Learn from this breach:
Just because a Government sponsors a platform, it does not mean it's cyber resistant.
Despite warnings of potential security risks, the Australian government approved its New Payments Platform (NPP), assuring the public that fraud and security concerns were “extensively considered" when developing PayID.
The data breach that ironically eventuated after this statement demonstrates that government solutions are vulnerable to the same cyber threats as all third-party software, including dated techniques like brute force attacks.
To prevent such an incident, security controls addressing brute force attacks should be implemented.
Some examples are listed below.
- Limit login attempts - Limit incorrect login attempts from a single IP address.
- Use device cookies - Device cookies will block malicious login attempts coming from specific browsers.
- Block suspicious logins - Block login functionality after a certain number of incorrect attempts.
- Don't reveal correct credentials - Prevent login fields from confirming which specific details are correct.
- Use CAPTCHAS - Choose CAPTCHAS that get progressively harder and more time-consuming with each incorrect login attempt.
10. Flagstar Bank
Date: June 2022
Impact: 1.5 million customers
How did the data breach occur?
One of the largest financial providers in the United States, Flagstar Bank, suffered a massive data breach in June 2022, leaking the Social Security numbers of almost 1.5 million customers. The breach is the second such attack on the Michigan-based online banking giant in as many years. The bank did not disclose how hackers successfully infiltrated the network, but initial investigations showed that the attack may have occurred as early as December 2021.
Flagstar bank initiated incident response protocols as soon as they discovered a data breach and stated that there was no evidence of exploitation during investigations. However, they still advised customers to monitor their credit closely and to report any suspicious activity.
What data was compromised?
Threat actors were able to obtain the following financial data:
- Social Security numbers (SSN)
- Banking information
- Personal information (names, addresses, birthdays)
Learn from this breach:
Although the exact attack vector was not specified, it highlights the importance of covering every possible vulnerability from third-party risk to internal threats to ransomware protection. Despite settling multiple class-action lawsuits in March 2021, Flagstar Bank failed to implement sufficient protection protocols in time.
Good practices for better security should always include, but are not limited to, the following:
- Annual penetration tests
- Security audits (e.g. SOC 2 Audit)
- Updated incident response plans
- Provide cybersecurity training