Five Biggest Data Breaches in Financial Service History: Lessons to Be Learnt

Between February and April 2020, cyber attacks against financial institutions rose by 238%. How can you use lessons from the past to prepare for an uncertain future?

The work-from-home era has led businesses to embrace a far more agile workplace. This will bring substantial benefits long-term. It has also introduced a wide range of new risks that every business needs to confront. But cybercrime obviously isn’t new. During 2019, 54% of companies reported one or more attacks.

The question isn’t really if your organisation will suffer an attack — it’s when. Cyber security leaders are responsible for making the necessary preparations to minimise financial, operational and reputational risk. With proper planning, it’s possible to do right by both your business and your customers.

Here, we are going to look for lessons from the past. By going over the top data breaches in financial service history, we can identify weak points and help you quantify risk and deliver a positive future.

Let’s get started.

 5. Westpac/PayID: third-party account authentication breach

Bottom of the list takes us back to mid-2019, when hackers exposed the banking details of 98,000 Westpac Australian bank customers. These details included phone numbers, names and account information linked to PayID — a payment platform which allows users to immediately transfer money between banks, simply by entering a mobile number or email address.
 

How the data breach occurred:

The hackers used an enumeration attack — a brute-force technique to guess or confirm valid users in the bank’s system. A common enumeration attack occurs when the hacker enters the site’s login page and uses the ‘forgot password’ function.
 

Lessons learnt:

Even government-sponsored platforms like PayID are not immune from hackers and are subject to the same security weaknesses. But the big lesson here is simply the importance of being prepared for a brute-force attack.
 
It’s critical to build robust systems that are hard to breach. For enumeration attacks specifically, build redundancies which prevent too many login attempts from a single IP address. It’s also important to make sure that your login system doesn’t give away details about whether or not the password or username was the incorrect information provided.
 

4. Desjardins Group: Canadian credit union breach

In 2019, up to 4.2 million Desjardins Credit Union users had their personal data exposed. The information included home addresses, names, email addresses and records of transactions. Worst of all, it also included Canadian social insurance numbers.
 
Six months later, it was identified that the breach further impacted 1.8 million credit cardholders who were not Desjardins members. The repair bill for the breach ended up costing the bank more than $100 million — although there is still a pending class-action lawsuit which could add to that total.
 

How the data breach occurred:

This was an inside job by a malicious IT worker who stole protected personal information.
 

Lessons learnt:

Insider attacks are difficult to anticipate. Although most breaches caused by an employee are an act of carelessness — not malice — robust, people-centred policies are critical to security. Fundamentally, you need to manage people as a security risk in the same way as systems and processes.
 
For example, the harm caused by this breach would have been minimised if the system was guided by “least privileged access”. Least privilege access means that users can only gain access to network applications and data necessary for their job. It’s also important to look for signs of employee dissatisfaction and disgruntlement. If that employee has access to sensitive and personal information, preemptive action may be required.
3. Capital One: credit card breach

On July 19, 2019, Capital One discovered that someone had hacked into about 106 million Capital One Capital Card customer applications and active accounts. The hacker accessed social security numbers and 80,000 linked bank accounts in the United States. Even worse, about 1 million Canadian social insurance numbers were leaked.

How the data breach occurred:

A Capital One tech worker gained access to the company’s servers via a misconfigured web application firewall. The tech worker, Paige Thompson, was arrested by the FBI and is awaiting trial. She faces a potential 25-year federal prison sentence.

Lessons learnt:

This is another case of how people (malicious or not) are often the weakest point in your security system. However, had Capital One configured their firewall correctly, this single hacker could have been stopped from inflicting millions of dollars in damages. This highlights how basic cyber hygiene can dramatically reduce risk. Employing third-party cloud firewall services is a practical way to ensure proper maintenance if your internal resources are at capacity.

2. First American Financial: personal and financial records compromised

In May 2019, the website for First American Financial Corp., a major real estate title insurer, exposed approximately 885 million financial and personal records related to real estate transactions that dated back to 2003. The records were unsecured and could be read by anyone.

How the data breach occurred:

The data escaped through what is known as a “business logic flaw”. This is a piece of code that is part of a legitimate workflow, but can be used for malicious outcomes. The attacker is enabled to get around the programmed business rules of the application, disguising the hack as a valid web request.

Lessons learnt:

Among other technical coding and design flaws, the First American Financial breach was caused by insufficient process validation. When an application fails to enforce the rules, the attack proceeds. Fundamentally, it’s critical to make sure that you have the necessary technical resources required to identify and remove these types of vulnerabilities.

1. Equifax: credit reporting data breach

Finally, we go back to September 2017 for the infamous Equifax breach. The breach exposed the names, social security numbers, birthdates, telephone numbers, and email addresses of 143 million accounts in the United States and 400,000 in the United Kingdom. The hackers also stole credit card numbers of over 209,000 customers.

Although the total number of people impacted by this breach is less than some of the other examples listed here, the sensitivity of the data (and the volumes) puts this top of our list as the biggest breach in financial services history. The breach costs Equifax up to $700 million in fines.

How the data breach occurred:

The hack was via a six-month-old Apache Struts vulnerability. Apache Struts is an open-sourced tool with plug-in supports. The vulnerability allowed remote coders to hack into Equifax data.

Lessons learnt:

Aside from the fact that Java web applications are ripe targets for hackers, using modules with known vulnerabilities is a particularly bad idea. The lessons learnt by Equifax’s top leaders — CEO, CIO, and CSO were life-changing. They resigned in the face of the bad publicity and resulting lawsuits. Keep on top of your updates, and regularly review your system vulnerabilities.

How to prevent a data breach

There are no guarantees in cyber security. The fact that four-out-of-five of these incidents occurred since 2019 highlights the escalating nature of the problem. But there are steps you can take to mitigate risk.

At Six Degrees, we’ve developed a number of pillars to our cyber security strategy. We execute these in-house, and help our clients do just the same. If you want personalised support, get in touch.

People, processes and systems

An astonishing 90% of UK data breaches in 2019 were due to human error. Most of these were mistakes, not malicious attacks. But it’s critical to build systems that are easy to use and develop robust training policies. For example, keep your staff up to date on the latest phishing trends, and create redundancies in your system that prevent easy mistakes.

Fundamentally, you need to create repeatable and traceable processes which align your people and technology within mutually supportive systems. Have a viable BYOD policy, isolate vulnerabilities and have a strategy for change. The answer is never going to be one thing, it’s about analysing different risk vectors and creating a plan which takes each factor into account.

Strategic aside: Having a people policy is one thing, getting buy-in and execution is another. You need cross-departmental support, and the cultivation of a cyber-aware culture in your organisation. Getting leadership support is important.

For specifics on how to better position cyber within your business, check out our free resource — Board Presentation Toolkit: Cyber Security and Threat Management.

Understand your appetite for risk

Risk always needs to be contextualised. Not every business can afford to accommodate the same level of risk, and simply knowing that a risk exists doesn’t tell you how much of a problem it actually is. You need to account for your specifics and place risks within a framework aligned with your business priorities and profile.

Generally speaking, financial services need to take a more risk-averse stance than most businesses. But it’s still worth asking yourself a basic set of questions about risk management.

These include:

  1. How sensitive is the data you hold (customer data and corporate data)
  2. How are your customers likely to respond to a breach?
  3. How competitive is your market?
  4. What regulatory or compliance requirements apply, and what are the consequences for failure to comply?

From here, you can start to place security risks within the context of business outcomes. This is the key to understanding where your priorities should sit, and how you need to respond in order to stay secure while continuing to drive positive business results.

Punching above your weight

Finding the right skills, building a process, and procuring cutting-edge technology requires dedicated resources. Strategic partnerships with the right service providers can deliver outcomes without draining your internal resources. Check out our cyber security assessment to get a better picture of your strengths and weaknesses.

If you suffer a breach, you need to treat it as a learning experience, and we can help you with incident response and follow-up protective monitoring. It’s all about staying secure, strong, and competitive. Get in touch if you want a free consultation about your next steps.

Subscribe to the newsletter today

Related posts

Defeat Downtime: Four Steps to Maximise Your Connectivity Resilience

Defeat Downtime: Four Steps to Maximise Your Connectivity Resilience

Network connectivity has never been more resilient, and downtime has…

Living Client First: How We’re Committing to Serving Our Clients Better

Living Client First: How We’re Committing to Serving Our Clients Better

Each year we conduct a Customer Relationship Quality survey with…

Navigating the 3G Switch-Off – What Businesses Need to Know

Navigating the 3G Switch-Off – What Businesses Need to Know

As the UK continues to phase out 3G networks, businesses…

Download your Cyber Security and Threat Management Toolkit