Common Data Breach Threats Facing Financial Institutions

Transcription

1 Last Updated: February 25, 2015 Common Data Breach Threats Facing Financial s Although exact figures are elusive, there is no question that the number of data security breaches both reported and unreported has been increasing exponentially in recent years. According to publicly-available sources, in the period from January 2014 through February 2015, more than 300 data breaches affecting nearly a billion customer records were reported in the United States. 1 Of those breaches, approximately 10% targeted financial institutions. The comparatively low percentage of data breaches affecting financial institutions likely reflects heightened awareness of cybersecurity risks and concomitant preparedness, since financial institutions have always had an elevated risk profile and their practices are subject to various types of regulatory scrutiny. Regardless of the prevalence of breaches in the industry, cybercrime is considered the second greatest economic criminal threat to financial institutions, with 39% of surveyed firms reporting a cybersecurity attack in By one estimate, the average cost of a corporate data breach in 2014 was $3.5 million, representing a 15% increase over Given rising costs associated with responding to data breaches, and the prevalence of cyber attacks aimed at financial institutions, it is important for entities operating in this sector to be aware of, and prepare to tackle, the most common cybersecurity threats facing the industry. The table below details a selection of data breaches reported by financial institutions in 2014 and early As with all security breaches, the details vary by incident. Nevertheless, certain patterns emerge. Based on the breaches listed below, the top cybersecurity threats facing the financial industry appear to be: 1. Hacking: Approximately 32% of the breaches were caused by unauthorized third parties (hackers) gaining access to the entity s network. 2. Employee malfeasance or negligence: Approximately 29% of the breaches were caused by employee theft of customer information or employee negligence (e.g., exposing the company to phishing scams or other types of malware that compromised the company s network). 3. Vendor malfeasance or negligence: Approximately 21% of the breaches were caused by third party vendors that intentionally or accidentally shared customer information with unauthorized parties. 4. Theft of devices containing electronic data: Approximately 18% of the breaches were caused by theft of company servers, external hard drives, and employee laptops. 1 Penny Crosman, Eight Lessons for Banks from the Data Breaches of 2014, AMERICAN BANKER (Dec. 2, 2014), 2 PricewaterhouseCoopers LLP, Threats to the Financial Sector: Financial Services sector analysis of PwC s 2014 Global Economic Crime Survey, available at 3 Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis, PONEMON INSTITUTE (May 5, 2014),

2 1/15/2015 Oppenheimer Oppenheimer was notified by a brokerage firm that an undisclosed amount of customer information was mistakenly made available to a representative of the associated brokerage firm. The information included names, addresses, Oppenheimer Fund account numbers, and Social Security 1/5/2015 Morgan Stanley A Morgan Stanley employee stole customer information of 350,000 clients, including account Additional information on what other information was captured was not disclosed. Files for as many as 900 clients ended up on a publicly-available website. 12/9/2014 Charge Anywhere LLC 11/3/2014 Fidelity National Financial 11/3/2014 Palm Springs 8/28/2014 JP Morgan Chase An unauthorized party installed sophisticated malware on the networks of Charge Anywhere LLC, a financial technology solutions company, allowing hackers to capture segments of outbound network traffic. The information captured included customer names, card numbers, expiration dates, and verification codes of payment cards from possibly as far back as November Certain employees of Fidelity National Financial were the subject of a targeted phishing attack, from which attackers obtained employee username and password information. This information was used to log in to employee accounts hosted by a third-party service provider. An undisclosed amount of customer personal information, including Social Security numbers, bank account information, payment card information, and driver s license information, may have been affected. An audit conducted by the Palm Springs revealed that an external hard drive containing customer data was missing. The external hard drive, which contained information including customer names, addresses, Social Security numbers, and account numbers, was never recovered. JP Morgan Chase reported that 83,000,000 households and small businesses were affected by a breach of customer personal information that included addresses, home addresses, and phone The attack began when hackers stole the login credentials of a JP Morgan employee and used the credentials to access a server that did not require double authentication. It was later discovered that the same hackers attempted to infiltrate other financial institutions, although federal officials believe they were unsuccessful. 7/17/2014 Total Bank Total Bank suffered a breach that potentially affected 72,500 customers records after an unauthorized third party gained access to the bank s computer network. Information obtained included names, addresses, account Page 2 of 5

3 numbers, account balances, Social Security numbers, and driver s license 7/17/2014 Bank of America 7/15/2014 Bank of the West 7/2/2014 Multi-State Billing Services LLC Aon Hewitt, a human resources benefit provider for Bank of America, suffered a breach affecting Bank of America employee personal information that included names and Social Security The breach occurred when an employee of Aon Hewitt s former vendor, Hexaware, saved copies of employee personal information files and uploaded them to a File Transfer Protocol (FTP) website. Bank of the West was the target of an scam that resulted in two employees bank login credentials being temporarily compromised. As a result, customer information, including names, account numbers, loan numbers, and Social Security numbers, were potentially put at risk. Multi-State Billing Services LLC reported a breach affecting nearly 3,000 students records after an employee s laptop was stolen. The student information included names, addresses, Medicaid ID numbers, and Social Security 7/2/2014 Goldman Sachs A contractor for Goldman Sachs inadvertently sent highly confidential brokerage account information to an unknown party s Gmail account. Goldman Sachs did not know how many clients were affected, and asked a judge to order Google to identify the user who received the misdirected and delete the . 6/27/2014 Benjamin F. Edwards & Co. 6/26/2014 Sterne, Agee & Leach 6/20/2014 Mount Olympus Mortgage Benjamin F. Edwards & Co., a broker-dealer firm, discovered an unauthorized third party had gained access to its database, which may have resulted in customer personal information being compromised. The company did not disclose the number of individuals affected or the type of information involved. Sterne, Agee & Leach, an Alabama-based brokerage firm, reported a security incident when an employee s firm-issued laptop went missing. The laptop contained an unknown amount of unencrypted customer account information that may have included names, addresses, account numbers, and Social Security A former employee of Mount Olympus Mortgage downloaded mortgage applications from the company s network to the employee s private Internet accounts, then sent the information to a competitor. The applications included an undisclosed number of names, addresses, Social Security numbers, and other information concerning mortgages. Page 3 of 5

4 6/11/2014 Stanford 6/4/2014 National Credit Adjusters 5/23/2014 Placemark Investments 5/22/2014 Bluegrass Community Stanford informed 18,000 members that their personal information was mistakenly sent to a fellow member rather than to the Credit employee for whom it was intended. The data in question was a list of members who were pre-approved for loans. According to the Credit, the recipient had not yet read the mail when the error was identified, and the data was properly destroyed. National Credit Adjusters, a debt purchasing and debt servicing company, noticed it had suffered a breach when customers reported being contacted by certain unauthorized third-party debt collectors. The personal information that may have been accessed by the unauthorized third-party debt collectors included names, addresses, debt balances, dates of birth, and Social Security Malware that infected one of Placemark s servers accessed the server and directed the server to send large batches of spam . The malware also potentially exposed certain documents with customer account information including names, addresses, dates of birth, and Social Security Experian, a nationwide credit reporting agency, notified Kentucky-based Bluegrass of unauthorized access to consumer information that included names, addresses, Social Security numbers, dates of birth, and account 5/14/2014 Paytime Paytime suffered a breach that affected approximately 233,000 individuals across the country. The information may have included employees names, Social Security Numbers, direct deposit bank account information, dates of birth, hire dates, wage information, home and cell phone numbers, other payroll-related information, and home addresses. The company believed that the breach occurred as a result of skilled hackers working from foreign IP addresses. 5/7/2014 Green s Accounting 4/22/2014 NCO Financial Systems, Inc. Green s Accounting was the victim of a breach after a network server was stolen. The server contained an undisclosed amount of customers personal information, including Social Security numbers, names, and addresses. NCO Financial Systems, Inc. was the victim of a data breach when its third party communication vendor, RevSpring, Inc., sent an to a number of loan customers that mistakenly included an attachment containing loan statements. The statements included customers names, addresses, Social Security numbers, and account 4/14/2014 Wilshire Mutual Wilshire Mutual was the victim of a data breach in March 2014 after an undisclosed number of customers 1099 tax forms were accidentally Page 4 of 5

5 faxed to incorrect shareholders. The information contained on the forms included customers names, mutual fund account registration information, addresses of record, the last 4 digits of Social Security numbers, and the fund and account numbers assigned in Wilshire s recordkeeping system. 4/4/2014 Cole Taylor Mortgage 3/25/2014 American Express 3/7/2014 Silversage Advisors 3/5/2014 OANDA Corporation Cole Taylor Mortgage informed customers of a breach of an undisclosed amount of consumer data caused by an technical error on the part of one of their third-party IT services vendors. Information was inadvertently made accessible to employees of another federally-regulated bank. The information included customers names, addresses, Social Security numbers, loan numbers, and certain loan information. American Express sent out notification letters to an undisclosed number of cardholders regarding unauthorized activity on their cards. American Express stated that names, card account numbers, and expiration dates of cards could have been affected. Silversage Advisors notified customers of a breach that occurred when backup computer drives were stolen from an offsite location that was used as part of the firm s disaster recovery plan. The back-up drives contained an undisclosed amount of information that included customers names, addresses, Social Security numbers, driver s license numbers, and account information. OANDA Corporation, an online currency trading platform, was the victim of a breach by an unauthorized third party that accessed a historical log of some payments received via PayPal. The information accessed included names and addresses, and usernames or passwords for the company s fxpense expense reporting tool also may have been accessed. 3/4/2014 Capital One Capital One notified customers of a possible breach when the bank discovered that a former employee may have improperly accessed customer accounts. The information accessed included names, account numbers, Social Security numbers, payment information, and other account information. 2/27/2014 Oak Associates Oak Associates notified customers of a breach that occurred in when a company electronic device that contained a data file with Oak Associates records was stolen. This file may have contained customer names, addresses, addresses, phone numbers, Social Security numbers, and certain account information (including account numbers, shares, balances, set-up dates, and contact instructions). Page 5 of 5