Last Updated: February 25, 2015
Common Data Breach Threats Facing Financial Institutions
Although exact figures are elusive, there is no question that the number of data security breaches – both reported and unreported – has been increasing exponentially in recent years. According to publicly-available sources, in the period from January 2014 through February 2015, more than 300 data breaches affecting nearly a billion customer records were reported in the United States.1 Of those breaches, approximately 10% targeted financial institutions. The comparatively low percentage of data breaches affecting financial institutions likely reflects heightened awareness of cybersecurity risks and concomitant preparedness, since financial institutions have always had an elevated risk profile and their practices are subject to various types of regulatory scrutiny.
Regardless of the prevalence of breaches in the industry, cybercrime is considered the second greatest economic criminal threat to financial institutions, with 39% of surveyed firms reporting a cybersecurity attack in 2014.2 By one estimate, the average cost of a corporate data breach in 2014 was $3.5 million, representing a 15% increase over 2013.3 Given rising costs associated with responding to data breaches, and the prevalence of cyber attacks aimed at financial institutions, it is important for entities operating in this sector to be aware of, and prepare to tackle, the most common cybersecurity threats facing the industry. The table below details a selection of data breaches reported by financial institutions in 2014 and early 2015. As with all security breaches, the details vary by incident. Nevertheless, certain patterns emerge. Based on the breaches listed below, the top cybersecurity threats facing the financial industry appear to be:
1. Hacking: Approximately 32% of the breaches were caused by unauthorized third parties (hackers) gaining access to the entity’s network.
2. Employee malfeasance or negligence: Approximately 29% of the breaches were caused by employee theft of customer information or employee negligence (e.g., exposing the company to phishing scams or other types of malware that compromised the company’s network). 3. Vendor malfeasance or negligence: Approximately 21% of the breaches were caused by third
party vendors that intentionally or accidentally shared customer information with unauthorized parties.
4. Theft of devices containing electronic data: Approximately 18% of the breaches were caused by theft of company servers, external hard drives, and employee laptops.
1
Penny Crosman, Eight Lessons for Banks from the Data Breaches of 2014, AMERICAN BANKER (Dec. 2, 2014),
http://www.americanbanker.com/news/bank-technology/eight-lessons-for-banks-from-the-data-breaches-of-2014-1071465-1.html.
2
PricewaterhouseCoopers LLP, Threats to the Financial Sector: Financial Services sector analysis of PwC’s 2014 Global Economic Crime Survey, available at http://www.pwc.com/gx/en/economic-crime-survey/downloads.jhtml.
3
Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis, PONEMON INSTITUTE (May 5, 2014),
Date Name of
Institution Description of Breach
1/15/2015 Oppenheimer Funds
Oppenheimer Funds was notified by a brokerage firm that an undisclosed amount of customer information was mistakenly made available to a representative of the associated brokerage firm. The information included names, addresses, Oppenheimer Fund account numbers, and Social Security numbers.
1/5/2015 Morgan Stanley A Morgan Stanley employee stole customer information of 350,000 clients, including account numbers. Additional information on what other
information was captured was not disclosed. Files for as many as 900 clients ended up on a publicly-available website.
12/9/2014 Charge Anywhere LLC
An unauthorized party installed “sophisticated malware” on the networks of Charge Anywhere LLC, afinancial technology solutions company, allowing hackers to capture segments of outbound network traffic. The information captured included customer names, card numbers, expiration dates, and verification codes of payment cards from possibly as far back as November 2009.
11/3/2014 Fidelity National Financial
Certain employees of Fidelity National Financial were the subject of a targeted phishing attack, from which attackers obtained employee username and password information. This information was used to log in to employee email accounts hosted by a third-party service provider. An undisclosed amount of customer personal information, including Social Security
numbers, bank account information, payment card information, and driver’s license information, may have been affected.
11/3/2014 Palm Springs
Federal Credit Union
An audit conducted by the Palm Springs Federal Credit Union revealed that an external hard drive containing customer data was missing. The external hard drive, which contained information including customer names,
addresses, Social Security numbers, and account numbers, was never recovered.
8/28/2014 JP Morgan
Chase
JP Morgan Chase reported that 83,000,000 households and small businesses were affected by a breach of customer personal information that included email addresses, home addresses, and phone numbers. The attack began when hackers stole the login credentials of a JP Morgan employee and used the credentials to access a server that did not require double authentication. It was later discovered that the same hackers attempted to infiltrate other financial institutions, although federal officials believe they were
unsuccessful.
7/17/2014 Total Bank Total Bank suffered a breach that potentially affected 72,500 customers’ records after an unauthorized third party gained access to the bank’s
Date Name of
Institution Description of Breach
numbers, account balances, Social Security numbers, and driver’s license numbers.
7/17/2014 Bank of
America
Aon Hewitt, a human resources benefit provider for Bank of America, suffered a breach affecting Bank of America employee personal information that included names and Social Security numbers. The breach occurred when an employee of Aon Hewitt’s former vendor, Hexaware, saved copies of employee personal information files and uploaded them to a File Transfer Protocol (FTP) website.
7/15/2014 Bank of the West
Bank of the West was the target of an email scam that resulted in two employees’ bank email login credentials being temporarily compromised. As a result, customer information, including names, account numbers, loan numbers, and Social Security numbers, were potentially put at risk.
7/2/2014 Multi-State Billing Services
LLC
Multi-State Billing Services LLC reported a breach affecting nearly 3,000 students’ records after an employee’s laptop was stolen. The student information included names, addresses, Medicaid ID numbers, and Social Security numbers.
7/2/2014 Goldman Sachs A contractor for Goldman Sachs inadvertently sent “highly confidential brokerage account information” to an unknown party’s Gmail account. Goldman Sachs did not know how many clients were affected, and asked a judge to order Google to identify the user who received the misdirected email and delete the email.
6/27/2014 Benjamin F.
Edwards & Co.
Benjamin F. Edwards & Co., a broker-dealer firm, discovered an
unauthorized third party had gained access to its database, which may have resulted in customer personal information being compromised. The
company did not disclose the number of individuals affected or the type of information involved.
6/26/2014 Sterne, Agee & Leach
Sterne, Agee & Leach, an Alabama-based brokerage firm, reported a security incident when an employee’s firm-issued laptop went missing. The laptop contained an unknown amount of unencrypted customer account information that may have included names, addresses, account numbers, and Social Security numbers.
6/20/2014 Mount Olympus
Mortgage Company
A former employee of Mount Olympus Mortgage Company downloaded mortgage applications from the company’s network to the employee’s private Internet accounts, then sent the information to a competitor. The applications included an undisclosed number of names, addresses, Social Security numbers, and other information concerning mortgages.
Date Name of
Institution Description of Breach
6/11/2014 Stanford Federal Credit
Union
Stanford Federal Credit Union informed 18,000 members that their personal information was mistakenly sent to a fellow member rather than to the Credit Union employee for whom it was intended. The data in question was a list of members who were pre-approved for loans. According to the Credit Union, the recipient had not yet read the mail when the error was identified, and the data was properly destroyed.
6/4/2014 National Credit Adjusters
National Credit Adjusters, a debt purchasing and debt servicing company, noticed it had suffered a breach when customers reported being contacted by certain unauthorized third-party debt collectors. The personal information that may have been accessed by the unauthorized third-party debt collectors included names, addresses, debt balances, dates of birth, and Social Security numbers.
5/23/2014 Placemark Investments
Malware that infected one of Placemark’s servers accessed the server and directed the server to send large batches of spam email. The malware also potentially exposed certain documents with customer account information including names, addresses, dates of birth, and Social Security numbers. 5/22/2014 Bluegrass
Community Federal Credit
Union
Experian, a nationwide credit reporting agency, notified Kentucky-based Bluegrass Federal Credit Union of unauthorized access to consumer
information that included names, addresses, Social Security numbers, dates of birth, and account numbers.
5/14/2014 Paytime Paytime suffered a breach that affected approximately 233,000 individuals across the country. The information may have included employees’ names, Social Security Numbers, direct deposit bank account information, dates of birth, hire dates, wage information, home and cell phone numbers, other payroll-related information, and home addresses. The company believed that the breach occurred as a result of “skilled hackers working from foreign IP addresses.”
5/7/2014 Green’s Accounting
Green’s Accounting was the victim of a breach after a network server was stolen. The server contained an undisclosed amount of customers’ personal information, including Social Security numbers, names, and addresses.
4/22/2014 NCO Financial
Systems, Inc.
NCO Financial Systems, Inc. was the victim of a data breach when its third party communication vendor, RevSpring, Inc., sent an email to a number of loan customers that mistakenly included an attachment containing loan statements. The statements included customers’ names, addresses, Social Security numbers, and account numbers.
4/14/2014 Wilshire Mutual Wilshire Mutual Funds was the victim of a data breach in March 2014 after an undisclosed number of customers’ 1099 tax forms were accidentally
Date Name of
Institution Description of Breach
Funds faxed to incorrect shareholders. The information contained on the forms included customers’ names, mutual fund account registration information, addresses of record, the last 4 digits of Social Security numbers, and the fund and account numbers assigned in Wilshire’s recordkeeping system.
4/4/2014 Cole Taylor
Mortgage Company
Cole Taylor Mortgage Company informed customers of a breach of an undisclosed amount of consumer data caused by an technical error on the part of one of their third-party IT services vendors. Information was inadvertently made accessible to employees of another federally-regulated bank. The information included customers’ names, addresses, Social Security numbers, loan numbers, and certain loan information. 3/25/2014 American
Express Company
American Express sent out notification letters to an undisclosed number of cardholders regarding unauthorized activity on their cards. American Express stated that names, card account numbers, and expiration dates of cards could have been affected.
3/7/2014 Silversage Advisors
Silversage Advisors notified customers of a breach that occurred when back-up computer drives were stolen from an offsite location that was used as part of the firm’s disaster recovery plan. The back-up drives contained an
undisclosed amount of information that included customers’ names, addresses, Social Security numbers, driver’s license numbers, and account information.
3/5/2014 OANDA Corporation
OANDA Corporation, an online currency trading platform, was the victim of a breach by an unauthorized third party that accessed a historical log of some payments received via PayPal. The information accessed included names and email addresses, and usernames or passwords for the company’s “fxPense” expense reporting tool also may have been accessed. 3/4/2014 Capital One Capital One notified customers of a possible breach when the bank
discovered that a former employee may have improperly accessed customer accounts. The information accessed included names, account numbers, Social Security numbers, payment information, and other account information.
2/27/2014 Oak Associates Funds
Oak Associates Funds notified customers of a breach that occurred in when a company electronic device that contained a data file with Oak Associates Funds records was stolen. This file may have contained customer names, addresses, email addresses, phone numbers, Social Security numbers, and certain account information (including account numbers, shares, balances, set-up dates, and contact instructions).
