Financial Data Breaches 2019: Capital One, First American, Desjardins, More

Financial Data Breaches 2019: Capital One, First American, Desjardins, More
Written by Brian Thomas
Manager, Content Marketing

Cyber attacks are occurring more frequently and banks, insurance companies, and other financial services firms are prime targets. Due to the nature of these businesses and the sensitivity of their data, financial firms are hit with approximately 300 times more cyber attacks than businesses in other industries.

In 2018, the sector reported 819 cyber incidents, a significant increase from the 69 incidents reported in 2017. While the total numbers for 2019 won’t become clear until we’re well into next year, the financial sector has already experienced a number of significant data breaches in 2019.

Here are some of the biggest financial data breaches of 2019 so far:

Capital One Data Breach

What happened?

On March 22-23, 2019, a hacker gained access to Capital One credit card applications for consumers and small businesses from as early as 2005.

Capital One detected the breach on July 19. According to the bank, about 140,000 social security numbers and 80,000 linked bank account numbers were exposed in the U.S. In addition, approximately 1 million Canadian social insurance numbers were leaked.

How did the breach originate?

Former Seattle tech worker Paige A. Thompson (also known by her screen name “erratic”) was able to gain access to Capital One servers though a misconfigured web application firewall.

Key takeaways

This was a classic breach: one hacker, one major vulnerability, hundreds of millions of dollars in damages. Analysts agree that the breach was preventable, had Capital one configured their firewall correctly.

In some cases, third-party services can help financial firms improve cyber hygiene and prevent breaches by continuously monitoring and alerting users to configuration errors.

First American Financial Corp. Breach

What happened?

In May, KrebsOnSecurity revealed that the website for title insurer First American Financial Corp. suffered a breach that exposed approximately 885 million personal and financial records related to real estate deals from as far back as 2003. The documents were viewable without authentication, making them accessible to anyone.

It’s suspected that anyone able to figure out the format of the company’s document URLs could potentially input any record number and pull up documents associated with the customer case, which included email addresses, names, and phone numbers of closing agents and buyers. It’s not known whether bad actors accessed these documents in the time they were publically available.

How did the breach originate?

The SEC is currently investigating the security failure, so not much is known yet about how the breach originated. However, based on the circumstances, it’s likely that a flaw in the back end of First American’s website led to the exposure of these documents.

Key takeaways

Websites and web applications have historically been a weak spot for financial services firms. In many cases, securing these systems might be a secondary priority, or security might take a backseat to strict go-to-market timelines. However, as the First American data breach illustrates, securing these systems is just as important as protecting any other IT infrastructure.

Desjardins Group Breach

What happened?

A breach at Canadian credit union Desjardins Group exposed the information of up to 2.7 million members. The breach exposed sensitive data such as home addresses, names, email addresses, information on transaction habits for individual members, and social insurance numbers.

How did the breach originate?

This data breach was caused by a malicious insider; someone who worked within Desjardins’ IT department stole protected personal information from the credit union.

Key takeaways

This breach highlights the necessity of least-privilege access models and the automated detection of anomalous behavior. Insider attacks are, in many cases, more difficult to anticipate or prevent than outside-in attacks, but a combination of robust policies and tech solutions can help protect financial institutions from these threats.

Westpac/PayID Breach

What happened?

A cyber attack on PayID, a third-party account authentication service of the New Payments Platform, resulted in the exposure of the banking details of 98,000 Westpac customers. While Westpac has been under scrutiny since the attack, the PayID service is also used by other Australian banks, meaning the breach could be wider than is currently known.

How did the breach originate?

PayID allowed anyone to punch in a phone number and search for the account registered under it, along with the account holder’s name. Authorities suspect that fraudulent PayID accounts were used to generate a series of random lookups and collect data on almost 100,000 customers.

Key takeaways

PayID and the New Payments Platform are part of a national banking infrastructure in Australia. Unfortunately, just because an application is government-sponsored doesn’t mean it’s secure. Previous financial cyber attacks in Bangladesh and Mexico have also originated in national technology systems.

Financial institutions must assess and continuously monitor the cybersecurity performance of all third parties with access to sensitive information, regardless of whether they’re a government agency or a traditional supplier. Thankfully, tools like Bitsight Security Ratings make this process possible, even across portfolios of thousands of third parties.

Read our Whitepaper: The New Essentials of Financial Services Third-Party Risk Management