Financial Services

Lessons Learned from 3 Major Financial Services Data Breaches

Alex Campanelli | July 24, 2018

The financial services industry is built on trust. In the past, this trust was physically embodied by heavy bank vaults made from multiple layers of steel. Today, however, attackers and thieves don’t need lock picks to steal from financial firms and damage the public’s trust in their services.

Because of the potential value of the information in their IT systems, financial institutions are frequent targets for cyber criminals. By studying recent financial services data breaches, security professionals at these organizations can learn how to create cybersecurity programs that exceed regulatory requirements and truly keep customers’ information and property safe.

Here are three recent data breaches banks and other financial services firms can learn from:


What happened:

In February 4th, 2016, hackers used stolen credentials to send money transfer requests that supposedly originated from the central bank of Bangladesh. The requests were sent over the SWIFT banking network, a computer network operated by a consortium of banks that processes sensitive financial communications.

[Download our free ebook to know how you can make your organisation Cyber Risk-Aware.]

The requests were sent to the Federal Reserve Bank of New York. They specified that funds from Bangladesh Bank’s accounts at the Fed be transferred to various recipients in the Philippines, Sri Lanka, and other countries.

The attackers installed malware at Bangladesh Bank that kept the SWIFT system from working properly and alerting workers of the suspicious transactions. The malware also prevented the Federal Reserve Bank of New York’s inquiries into the transactions from getting through.

As a result, the Fed went ahead and processed the transactions, sending $81 million USD to overseas accounts.

How did the breach originate?

Bangladesh bank was breached and malware was placed on their system to prevent employees from discovering the fraudulent transactions before it was too late. Their SWIFT access credentials were also stolen.

SWIFT was not breached directly, but their system connects thousands of banks around the world. An attack on one bank in the SWIFT network could potentially have ripple effects affecting any other bank. In fact, the system has been used in a series of other attempted thefts.

Key Takeaways:

For financial services firms, protecting one’s own IT systems is priority number one. Security programs should not only meet but exceed regulatory requirements and take into account the latest threat intelligence.

However, focusing on internal security alone is not enough. Comprehensive financial services risk management programs should also focus on third and fourth parties who have access to sensitive information or resources and the risk they pose to the organization. In addition, the security of systems and applications that connect firms to other organizations should not be taken for granted.


What happened:

On March 31st, 2017, a security researcher noticed a cache of unencrypted consumer information from Scottrade Bank, the banking arm of Scottrade Financial Services, on publicly accessible servers. The database contained names, addresses, and social security numbers of Scottrade contacts, as well as usernames and passwords for various employee accounts.

A few days later, it became clear that the data was uploaded in error by a third-party vendor, a professional services firm called Genpact.

The breach exposed the information of around 20,000 Scottrade customers.

How did the breach originate?

Genpact accepted the blame for the breach and chalked it up to a one-time mistake. However, careless employee behavior could indicate a lack of effective cybersecurity training and controls at the organization.

Scottrade was quick to point out that the breach originated through a third party, but it’s possible that they have a certain amount of responsibility for the incident as well.

Key takeaways

Effective vendor risk management should be a component of any financial services firm’s cybersecurity efforts. When third parties have access to sensitive information, firms need to ensure this data is being handled with care. In order to operate with the most up-to-date information on vendors’ cybersecurity postures, financial services firms should make use of continuous monitoring tools like BitSight Security Ratings.


What happened:

In April 2018, three Mexican banks experienced what they described as security “incidents” while accessing SPEI, the country’s interbank electronic transfer system.

Because the system was deemed unsafe for a period of time, operations were slowed down or halted at all three institutions.

How did the breach originate?

As of this writing, the perpetrator of the attack is unknown.

Key takeaways

Even when no funds are stolen and no customer credentials are released, cyberattacks can be a major problem for financial institutions. When certain third or fourth parties are compromised, costly operational slowdowns can occur.

It’s important for financial institutions to have a working map of their operational network, including third and fourth parties. For the most sensitive relationships, firms should have backup plans in place to ensure the continuity of business while issues are being resolved.

When it comes to building trust, the best thing financial services firms can do is bolster their cyber risk programs. For these firms, mitigating cyber risk means more than monitoring a network — it means assessing vendor security and the operational impact of third and fourth parties as well.

Don’t let “one-time-mistakes” lead to data breaches. Learn more about building a cyber risk-aware culture in your organization.New Call-to-action

Suggested Posts

FFIEC IT Handbook Updates: Business Continuity Is 2020 Focus

In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...


Cloud outsourcing poses new challenges for regulators and Financial Services

Cyber risk and regulatory compliance are two sides of the same coin in the Financial Services sector. Together, they spur Financial Services companies to take action to protect customers, their business and the global financial ecosystem...


Financial services in Asia Pac face regulatory driven scrutiny of cyber risk management

The evolution of the technology environment and related security threats is so fast paced it often seems businesses and regulators are playing an endless game of catch-up.


Subscribe to get security news and updates in your inbox.