The Top 3 Most Expensive Financial Industry Data Leaks

We all expect our banks and other financial institutions to maintain an expert level of security regarding their data and ours. After all, we trust them with mounds of personal information from social security numbers, credit scores, credit cards, birthdates, and addresses. If a financial institution is breached, that data is sold off to cybercriminals who won’t hesitate to steal your identity, take every hard-earned penny, and destroy your credit. Below are the top three most expensive data breaches in the financial industry:

1: JPMorgan Chase, 2014: 83 Million Customers and 100 Million Dollars

While most data breaches and leaks result from negligence, some are the direct result of malicious actors. In 2014, as part of a wide-ranging stock manipulation scheme, cybercriminals used the “heartbleed” CVE to gain employee credentials and access to JP Morgan’s network. 

“We got what u wanted so now show me how we make out of it 100 mil [i.e. $100 million] a year,”  – Grey Shalon, from the SDNY’s 2015 Indictment

After obtaining access, malware was installed to allow persistent access and data exfiltration. From July to August 2014, threat actors exfiltrated customer PII, employee data, and communications from top JP Morgan officials. The exfiltrated data was used in multiple scams by the threat actors.

For major companies, it can be challenging to keep track of what assets they have in use, leading to shadow IT, unpatched servers, and vulnerabilities. If JP Morgan had access to Asset Discovery and Monitoring, they would have been alerted to which of their servers were vulnerable to the “heartbleed” CVE. 

2: Heartland Payment Systems: 130 Million Customers & 140 Million Dollars

Heartland Payment Systems, at the time of their data breach, was the sixth-largest payroll processor in the US. Using an SQL injection attack, Albert Gonzalez was able to modify the code on a web script giving him access to the login page. The attack went undetected for months allowing Gonzalez to gain numerous credit cards, gift cards, and rewards which then were used to fund a party lifestyle.

The heartland hack was nicknamed “Operation Get Rich or Die Tryin” by perpetrator Albert Gonzalez.

According to ComputerWorld, dealing with the breach cost $140 million. Of the $140 million, $60 was spent to settle with Visa, $42 million earmarked for future settlements, $3.5 million to settle with American Express, and legal expenses amounting to at least $26 million. 

SQL injection attacks are widespread, comprising nearly two-thirds (65.1%) of all Web application attacks in 2019. Luckily preventing SQL injection attacks is fairly easy. By alerting the parameters of allowed queries or using a firewall to identify and block injection attacks. 

3: Equifax, Inc.: 143 Million Customers & 300 Million Dollars

Equifax saw 143 million U.S. and 400 accounts were compromised in a data breach. The credit reporting firm disclosed that the data breach involved names, social security numbers, birthdates, telephone numbers, and email addresses. In addition, the hackers stole the credit card numbers of more than 209,000 consumers. 

“The cyber hygienically apathetic c-suites running critical infrastructure organization are losing this war.” ― James Scott, Senior Fellow, Institute for Critical Infrastructure Technology.

The data breach was caused by a third-party Apache Struts vulnerability. There was a patch available to close this vulnerability, but Equifax had not applied it to their servers. For major companies it can be difficult to keep track of what assets they have in use, leading to shadow IT, unpatched servers, and vulnerabilities.

If Equifax had Asset Discovery and Monitoring in place they would have been alerted to which of their servers were vulnerable to the Apache Struts vulnerability. 

As a consequence of the breach, the CEO, CSO, and CIO all stepped down. A $300 million dollar settlement was reached in a class-action lawsuit and Equifax agreed to lifetime credit monitoring for all those affected. 

Special Mention

TRW Information Systems: 90 Million Customers and Unknown Cost

Hop in your time machine and follow us back to the ’80s.  TRW Information Systems (sold off in 1996 as Experian) suffered what may be the first modern major data breach. In 1984, an unknown person stole a credit file password to TRW Information Systems that allowed access to the credit files of 90 million people

The password was stolen from Sears and posted to an electronic bulletin board where other people could access it. The files contained names, addresses, birth dates, credit limits, and social security numbers, and could be used to get credit card numbers. 

That is it for this blog.

To learn more about the state of cybersecurity, and more financial cybersecurity insights, read CybelAngel’s annual report. It’s packed with insights into industry trends, EASM knowledge, and things to prioritize this year.