Top Data Breaches in Finance, And How to Avoid Them
Banks, credit unions, and loaning companies are among the top institutions that need a robust cybersecurity system in order to survive. On top of financial investments, they hold copious amounts of data that can easily be exploited when left unprotected. With just a few clicks, cyberattackers can wipe out every penny.
So how can finance firms avoid the top data breaches from happening to their system? Depending on the root cause of the data breach, several security measures can be applied to protect assets. Keeping software updated, patching up application vulnerabilities, securing the data storage, and encrypting the devices which contain sensitive information are some ways to prevent data breaches in financial institutions.
Dealing with Data Breaches
A data breach is a cybersecurity incident where sensitive information of customers becomes compromised. Data breaches expose personal and financial information, which are often sold on the black market and circulated among identity thieves.
It’s not easy to recover once data has been compromised but it can be prevented by strengthening the security measures in a firm. Studies show that 88% of data breaches have consistent patterns over the years. By deciphering these patterns, it’s possible to minimize the risk of a data breach in a financial institution.
Top Data Breaches in Finance
Even big companies are vulnerable to the data breach, especially if their security measures are loose in some ways. Here are the biggest data breaches in the world of finance and banking:
CitiFinancial (2005)
Affected Parties: 3.9 million customers
How it Happened: The tapes containing the names, addresses, Social Security numbers, account numbers, payment histories, and other personal information of CitiFinancial’s 3.9 million customers were lost in transit by the United Parcel Service (UPS).
While the company claims that the data were not stolen or compromised, reports from institutions that compile personal information (banks, data brokers, universities, and more) have seen an increase in data security failures.
How it Was Resolved: Investigation was performed by the UPS, while CitiFinancial has informed both their 3.9 million customers and the Secret Service about the incident. They mailed letters to their customers offering a 90-day free credit card monitoring service.
This incident also pushed the Californian government to strengthen the law requiring institutions – including private companies, government agencies, and nonprofit organizations – to inform customers in case of data files that have been compromised.
How it Could Be Avoided: Since CitiFinancial claims that there were no indications of theft, the only possible conclusion to draw from this is that human error plays a big part in the loss of tapes in transit. To prevent this, heightened security during transit of sensitive information must be implemented. The tapes, or other physical storage of the data, should also be encrypted to prevent unauthorized people from accessing the information.
Educational Credit Management Corp. (2010)
Affected Parties: 3.3 million customers
How it Happened: Educational Credit Management Corp. is a nonprofit organization that helps students deal with their loans. All the data, which included names, addresses, birthdays, and Social Security numbers, were kept in a portable media. The device was suspected to have been stolen in March of 2010.
ECMC claimed that although personal information was among the data recorded in the portable media, it did not contain financial information like bank account data or credit card numbers of the customers. The corporation also did not confirm whether or not the stolen device was encrypted.
How it Was Resolved: ECMC immediately notified law enforcement agencies to start conducting an investigation that will help recover the missing portable media. Meanwhile, ECMC offered free credit monitoring and protection services in partnership with Experian for all the affected borrowers.
How it Could Be Avoided: Since this data breach is suspected to be caused by a physical attack/theft of a data-carrying device, it would help to keep all important information on the cloud. Having crucial information stored on portable devices like USBs and hard drives is incredibly risky, especially when cloud-based encryption is a convenient option for even the smallest banks.
Data Processors International (2003)
Affected Parties: 8 million credit card numbers (including 2.2 million MasterCard issued and 3.4 million Visa-issued)
How it Happened: In 2003, Data Processors International’s security system was hacked and around 8 million credit card accounts were accessed. This includes cards that are issued by MasterCard, Visa, American Express, and Discover Financial Services, to name a few.
Both MasterCard and Visa notified the banks of the affected cards. Luckily, no report of fraudulent acts from the affected accounts was reported.
How it Was Resolved: DPI immediately sought the help of the Secret Service as well as the FBI to track down the computer hacker responsible for intruding the company’s system. However, the perpetrator was not caught. This incident also contributed to the eventual passing of a law in California that requires institutions to inform affected customers of the data breach.
How it Could Be Avoided: DPI’s case is an instance of hacking, which is the most common cause of data breach. It can happen in several ways, but in the case of a mass-scale hacking in a corporation, the most common gateways point to vulnerable applications. This can be avoided by keeping the software, hardware, and applications patched up and up to date.
Korea Credit Bureau (2014)
Affected Parties: 20 million South Koreans
How it Happened: An employee of the Korean Credit Bureau secretly copied the customer information to an external drive over the course of one and a half years. The information includes identification numbers, names, addresses, and credit card numbers.
This incident alarmed South Koreans, as their country ranks high among the rate of credit card use all over the world. Eventually, the perpetrator was caught and the companies were fined.
How it Was Resolved: After the incident, a special task force was created to investigate the impact of the theft. A public apology by the executives of the three affected credit card companies was also issued. The companies were also suspended from issuing new credit cards for three months after the incident. They were also fined $5640 (6 million won) in addition to the compensation they have to pay for the financial loss of the customers.
How it Could Be Avoided: This case of hacking was done by an employee who had access to the data. It can be prevented by thoroughly checking the background of the worker you will trust to hold the financial and personal information of customers.
Equifax, Inc. (2017)
Affected Parties: 143 million U.S. Accounts
How it Happened: Equifax is a credit monitoring company that caters to Americans, including high-profile accounts of politicians and celebrities. Using an unpatched Apache Struts vulnerability, the hackers were able to access sensitive information from May to July 2017.
On July 29, 2017, Equifax discovered the data breach but waited until Thursday of the same week to publicize the issue.
How it Was Resolved: Before notifying the public, some of the senior executives of Equifax, Inc. sold their company shares worth $1.8 million. Equifax offered free credit monitoring to the affected customers. They also set up a special website to help customers check whether their personal information has been compromised. Aside from this, the Congress was also called to reform the data protection policies in effect.
How it Could Be Avoided: This large incident of theft involving the Social Security numbers of customers was caused by an unnoticed faulty Apache Struts. This kind of vulnerability in a company’s security can be solved by frequently updating the applications and patching up the software to make sure that there are no backdoors for a hacker to utilize.
How Much Will Data Breach Damages Cost You?
Data breach damages cost financial institutions anywhere from $1.25 million to $8.19 million. Banks have the second-largest spending when it comes to the total cost of a data breach at $5.86 million. Each breached account can cost an average of $206.
What Can You Do When Data Has Been Compromised?
Even with so many preventive measures and added security layers to protect sensitive data, there is still a risk that data breach might occur. In the unfortunate case that this happens, here’s what you need to do to contain the issue and prevent it from progressing negatively:
- Inform the customers and the law enforcement authorities with a detailed explanation of what happened.
- Offer customers the right protection like credit monitoring.
- Upgrade the security system to prevent the same incident from happening again.
- Enforce policies in the office that will help strengthen security.
Protect Your Data with Abacus
Minimize the risk of a data breach with the multi-layered and comprehensive security plans we offer at Abacus. Aside from specializing in improved security measures to avoid compromised data, our experts at Abacus are also experienced in mitigating the damages after a data breach.
For an all-around security measure that will protect your company, start your consultation with us by calling (856) 505 6860 or sending an email at info@goabacus.com.
