Common Data Breach Threats Facing Financial Institutions



Similar documents
DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

Data Security. So many businesses leave their data exposed, That doesn t mean you have to Computerbilities, Inc.

Cybersecurity. Are you prepared?

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

I ve been breached! Now what?

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Privacy Rights Clearing House

Data Security: Risks, Compliance and How to be Prepared for a Breach

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

Advanced Biometric Technology

Security Management. Keeping the IT Security Administrator Busy

Cybersecurity Workshop

NATIONAL CYBER SECURITY AWARENESS MONTH

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

KEY STEPS FOLLOWING A DATA BREACH

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Internet threats: steps to security for your small business

Network Security & Privacy Landscape

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Cybercrime and Identity Theft: Awareness and Protection 2015 HLC Conference

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

How-To Guide: Cyber Security. Content Provided by

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

INFORMATION SECURITY FOR YOUR AGENCY

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

The Business Case for Security Information Management

Data Breaches and Cyber Risks

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

Information Security It s Everyone s Responsibility

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Mitigating and managing cyber risk: ten issues to consider

Cyber Liability. What School Districts Need to Know

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Cyber Risks in the Boardroom

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Cybersecurity: Protecting Your Business. March 11, 2015

CKAHU Symposium Cyber-Security

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

OCIE Technology Controls Program

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

Who s Doing the Hacking?

Information Security It s Everyone s Responsibility

How To Protect Yourself From A Hacker Attack

Remote Deposit Quick Start Guide

Aftermath of a Data Breach Study

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Brief. The BakerHostetler Data Security Incident Response Report 2015

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Into the cybersecurity breach

Network/Cyber Security

BANKING SECURITY and COMPLIANCE

Deterring Identity Theft. The Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year.

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Computer Security at Columbia College. Barak Zahavy April 2010

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

This notice contains important information about the data breaches announced by Home Depot, Kmart and Dairy Queen.

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Standard: Information Security Incident Management

Cyber Security An Exercise in Predicting the Future

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

Identity Theft Security and Compliance: Issues for Business

What Data? I m A Trucking Company!

Guide to Preventing Social Engineering Fraud

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Cyber Self Assessment

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Transcription:

Last Updated: February 25, 2015 Common Data Breach Threats Facing Financial s Although exact figures are elusive, there is no question that the number of data security breaches both reported and unreported has been increasing exponentially in recent years. According to publicly-available sources, in the period from January 2014 through February 2015, more than 300 data breaches affecting nearly a billion customer records were reported in the United States. 1 Of those breaches, approximately 10% targeted financial institutions. The comparatively low percentage of data breaches affecting financial institutions likely reflects heightened awareness of cybersecurity risks and concomitant preparedness, since financial institutions have always had an elevated risk profile and their practices are subject to various types of regulatory scrutiny. Regardless of the prevalence of breaches in the industry, cybercrime is considered the second greatest economic criminal threat to financial institutions, with 39% of surveyed firms reporting a cybersecurity attack in 2014. 2 By one estimate, the average cost of a corporate data breach in 2014 was $3.5 million, representing a 15% increase over 2013. 3 Given rising costs associated with responding to data breaches, and the prevalence of cyber attacks aimed at financial institutions, it is important for entities operating in this sector to be aware of, and prepare to tackle, the most common cybersecurity threats facing the industry. The table below details a selection of data breaches reported by financial institutions in 2014 and early 2015. As with all security breaches, the details vary by incident. Nevertheless, certain patterns emerge. Based on the breaches listed below, the top cybersecurity threats facing the financial industry appear to be: 1. Hacking: Approximately 32% of the breaches were caused by unauthorized third parties (hackers) gaining access to the entity s network. 2. Employee malfeasance or negligence: Approximately 29% of the breaches were caused by employee theft of customer information or employee negligence (e.g., exposing the company to phishing scams or other types of malware that compromised the company s network). 3. Vendor malfeasance or negligence: Approximately 21% of the breaches were caused by third party vendors that intentionally or accidentally shared customer information with unauthorized parties. 4. Theft of devices containing electronic data: Approximately 18% of the breaches were caused by theft of company servers, external hard drives, and employee laptops. 1 Penny Crosman, Eight Lessons for Banks from the Data Breaches of 2014, AMERICAN BANKER (Dec. 2, 2014), http://www.americanbanker.com/news/bank-technology/eight-lessons-for-banks-from-the-data-breaches-of-2014-1071465-1.html. 2 PricewaterhouseCoopers LLP, Threats to the Financial Sector: Financial Services sector analysis of PwC s 2014 Global Economic Crime Survey, available at http://www.pwc.com/gx/en/economic-crime-survey/downloads.jhtml. 3 Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis, PONEMON INSTITUTE (May 5, 2014), http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis.

1/15/2015 Oppenheimer Oppenheimer was notified by a brokerage firm that an undisclosed amount of customer information was mistakenly made available to a representative of the associated brokerage firm. The information included names, addresses, Oppenheimer Fund account numbers, and Social Security 1/5/2015 Morgan Stanley A Morgan Stanley employee stole customer information of 350,000 clients, including account Additional information on what other information was captured was not disclosed. Files for as many as 900 clients ended up on a publicly-available website. 12/9/2014 Charge Anywhere LLC 11/3/2014 Fidelity National Financial 11/3/2014 Palm Springs 8/28/2014 JP Morgan Chase An unauthorized party installed sophisticated malware on the networks of Charge Anywhere LLC, a financial technology solutions company, allowing hackers to capture segments of outbound network traffic. The information captured included customer names, card numbers, expiration dates, and verification codes of payment cards from possibly as far back as November 2009. Certain employees of Fidelity National Financial were the subject of a targeted phishing attack, from which attackers obtained employee username and password information. This information was used to log in to employee email accounts hosted by a third-party service provider. An undisclosed amount of customer personal information, including Social Security numbers, bank account information, payment card information, and driver s license information, may have been affected. An audit conducted by the Palm Springs revealed that an external hard drive containing customer data was missing. The external hard drive, which contained information including customer names, addresses, Social Security numbers, and account numbers, was never recovered. JP Morgan Chase reported that 83,000,000 households and small businesses were affected by a breach of customer personal information that included email addresses, home addresses, and phone The attack began when hackers stole the login credentials of a JP Morgan employee and used the credentials to access a server that did not require double authentication. It was later discovered that the same hackers attempted to infiltrate other financial institutions, although federal officials believe they were unsuccessful. 7/17/2014 Total Bank Total Bank suffered a breach that potentially affected 72,500 customers records after an unauthorized third party gained access to the bank s computer network. Information obtained included names, addresses, account Page 2 of 5

numbers, account balances, Social Security numbers, and driver s license 7/17/2014 Bank of America 7/15/2014 Bank of the West 7/2/2014 Multi-State Billing Services LLC Aon Hewitt, a human resources benefit provider for Bank of America, suffered a breach affecting Bank of America employee personal information that included names and Social Security The breach occurred when an employee of Aon Hewitt s former vendor, Hexaware, saved copies of employee personal information files and uploaded them to a File Transfer Protocol (FTP) website. Bank of the West was the target of an email scam that resulted in two employees bank email login credentials being temporarily compromised. As a result, customer information, including names, account numbers, loan numbers, and Social Security numbers, were potentially put at risk. Multi-State Billing Services LLC reported a breach affecting nearly 3,000 students records after an employee s laptop was stolen. The student information included names, addresses, Medicaid ID numbers, and Social Security 7/2/2014 Goldman Sachs A contractor for Goldman Sachs inadvertently sent highly confidential brokerage account information to an unknown party s Gmail account. Goldman Sachs did not know how many clients were affected, and asked a judge to order Google to identify the user who received the misdirected email and delete the email. 6/27/2014 Benjamin F. Edwards & Co. 6/26/2014 Sterne, Agee & Leach 6/20/2014 Mount Olympus Mortgage Benjamin F. Edwards & Co., a broker-dealer firm, discovered an unauthorized third party had gained access to its database, which may have resulted in customer personal information being compromised. The company did not disclose the number of individuals affected or the type of information involved. Sterne, Agee & Leach, an Alabama-based brokerage firm, reported a security incident when an employee s firm-issued laptop went missing. The laptop contained an unknown amount of unencrypted customer account information that may have included names, addresses, account numbers, and Social Security A former employee of Mount Olympus Mortgage downloaded mortgage applications from the company s network to the employee s private Internet accounts, then sent the information to a competitor. The applications included an undisclosed number of names, addresses, Social Security numbers, and other information concerning mortgages. Page 3 of 5

6/11/2014 Stanford 6/4/2014 National Credit Adjusters 5/23/2014 Placemark Investments 5/22/2014 Bluegrass Community Stanford informed 18,000 members that their personal information was mistakenly sent to a fellow member rather than to the Credit employee for whom it was intended. The data in question was a list of members who were pre-approved for loans. According to the Credit, the recipient had not yet read the mail when the error was identified, and the data was properly destroyed. National Credit Adjusters, a debt purchasing and debt servicing company, noticed it had suffered a breach when customers reported being contacted by certain unauthorized third-party debt collectors. The personal information that may have been accessed by the unauthorized third-party debt collectors included names, addresses, debt balances, dates of birth, and Social Security Malware that infected one of Placemark s servers accessed the server and directed the server to send large batches of spam email. The malware also potentially exposed certain documents with customer account information including names, addresses, dates of birth, and Social Security Experian, a nationwide credit reporting agency, notified Kentucky-based Bluegrass of unauthorized access to consumer information that included names, addresses, Social Security numbers, dates of birth, and account 5/14/2014 Paytime Paytime suffered a breach that affected approximately 233,000 individuals across the country. The information may have included employees names, Social Security Numbers, direct deposit bank account information, dates of birth, hire dates, wage information, home and cell phone numbers, other payroll-related information, and home addresses. The company believed that the breach occurred as a result of skilled hackers working from foreign IP addresses. 5/7/2014 Green s Accounting 4/22/2014 NCO Financial Systems, Inc. Green s Accounting was the victim of a breach after a network server was stolen. The server contained an undisclosed amount of customers personal information, including Social Security numbers, names, and addresses. NCO Financial Systems, Inc. was the victim of a data breach when its third party communication vendor, RevSpring, Inc., sent an email to a number of loan customers that mistakenly included an attachment containing loan statements. The statements included customers names, addresses, Social Security numbers, and account 4/14/2014 Wilshire Mutual Wilshire Mutual was the victim of a data breach in March 2014 after an undisclosed number of customers 1099 tax forms were accidentally Page 4 of 5

faxed to incorrect shareholders. The information contained on the forms included customers names, mutual fund account registration information, addresses of record, the last 4 digits of Social Security numbers, and the fund and account numbers assigned in Wilshire s recordkeeping system. 4/4/2014 Cole Taylor Mortgage 3/25/2014 American Express 3/7/2014 Silversage Advisors 3/5/2014 OANDA Corporation Cole Taylor Mortgage informed customers of a breach of an undisclosed amount of consumer data caused by an technical error on the part of one of their third-party IT services vendors. Information was inadvertently made accessible to employees of another federally-regulated bank. The information included customers names, addresses, Social Security numbers, loan numbers, and certain loan information. American Express sent out notification letters to an undisclosed number of cardholders regarding unauthorized activity on their cards. American Express stated that names, card account numbers, and expiration dates of cards could have been affected. Silversage Advisors notified customers of a breach that occurred when backup computer drives were stolen from an offsite location that was used as part of the firm s disaster recovery plan. The back-up drives contained an undisclosed amount of information that included customers names, addresses, Social Security numbers, driver s license numbers, and account information. OANDA Corporation, an online currency trading platform, was the victim of a breach by an unauthorized third party that accessed a historical log of some payments received via PayPal. The information accessed included names and email addresses, and usernames or passwords for the company s fxpense expense reporting tool also may have been accessed. 3/4/2014 Capital One Capital One notified customers of a possible breach when the bank discovered that a former employee may have improperly accessed customer accounts. The information accessed included names, account numbers, Social Security numbers, payment information, and other account information. 2/27/2014 Oak Associates Oak Associates notified customers of a breach that occurred in when a company electronic device that contained a data file with Oak Associates records was stolen. This file may have contained customer names, addresses, email addresses, phone numbers, Social Security numbers, and certain account information (including account numbers, shares, balances, set-up dates, and contact instructions). Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information