Financial Services

Information Security in the Banking and Financial Industry: Lessons Learned from 4 Major Data Breaches

Alex Campanelli | July 24, 2018

[updated January 10, 2021]

The financial services industry is built on trust. In the past, this trust was physically embodied by heavy bank vaults made from multiple layers of steel. Today, however, attackers and thieves don’t need lock picks to steal from financial firms and damage the public’s trust in their services.

Because of the potential value of the information in their IT systems, financial institutions are frequent targets for cyber criminals. As a result, information security in the banking and financial industry is a top priority for security teams, executives, and the board of directors.

By studying recent financial services data breaches, security professionals at these organizations can learn how to create cybersecurity programs that exceed regulatory requirements and truly keep customers’ information and property safe.

Here are four recent data breaches that banks and financial services firms can learn from:

2019 Capital One Data Breach

What happened

In March, 2019, a hacker gained access to the Social Security numbers, account numbers, credit scores, names and addresses, and other information of more than 100 million Capital One customer accounts stored in the Amazon Web Services (AWS) cloud. 

In August, 2020, Capital One was ordered to pay $80 million for careless network security practices, with the U.S. Treasury Department ruling that the bank had “failed to establish effective risk management when it migrated information technology operations to a cloud-based service.” The bank’s own internal audit had also failed to identify numerous weaknesses in its management of the cloud environment, according to The Associated Press.

How did the breach originate?

The hacker, Paige Thompson (a former software engineer for AWS), exploited a vulnerability exposed by a misconfigured Web Application Firewall. Thompson’s attack method is not unique and exploited what has been described as “...the most serious vulnerability facing organizations using public clouds.

Key takeaways

The Capital One case shone a spotlight on a pervasive challenge in security organizations — that people and cultural problems can compound cyber risk. Although technical failings were at the heart of the breach, a series of overlooked issues produced perfect storm conditions for the attack. Indeed, employees of the bank raised concerns about cybersecurity, specifically high turnover of security personnel and a failure to install software to monitor and defend against attacks. 

The attack also raised questions about who owns security in the cloud. The AWS shared responsibility model makes it clear that while AWS assumes responsibility for the cloud infrastructure, customers are responsible for the security of their own data. That means they’re responsible for regularly patching and updating software, ensuring systems are configured correctly, and other management tasks. This is where Capital One went awry. 

To avoid the same fate, information security professionals in the banking and financial industry must do everything they can to ensure their security postures are as robust as possible. This means going beyond point in time AWS audits to better visualize and assess risk across their expanding digital ecosystems, continuously monitor security performance on-premise and in the cloud, and implement a robust third-party risk management program.

Read more about lessons learned from the Capital One breach.

2018 Cyber Attack of Mexican Banks 

What happened

In April 2018, three Mexican banks experienced what they described as security “incidents” while accessing SPEI, the country’s interbank electronic transfer system. Cyber criminals belonging to a group known as the Bandidos Revolutions Team were able to siphon hundreds of millions in pesos from several banks. The hack was the largest cyber attack in Mexican history. 

How did the breach originate?

To pull off the attack, thieves created phantom orders that wired funds to bogus accounts which were then emptied via ATMs. The group used the same tactics as a North Korean cyber crime syndicate whose attempts to pull off a $110 million bank heist in Mexico were thwarted by authorities in January, 2018. 

Reuters later reported that the problem had to do with software developed by third-party providers to connect to the central bank’s SPEI interbank transfer system.

The Mexican government and banking institutions were later criticized for failing to take adequate steps to prevent cyber attacks. 

Key takeaways

Even when no funds are stolen and no customer credentials are released, cyberattacks can be a major problem for the banking and financial industry. When certain third or fourth parties are compromised - such as the SPEI - costly operational slowdowns can occur.

It’s important for financial institutions to have a working map of their operational network, including third and fourth parties. For the most sensitive relationships, firms should have backup plans in place to ensure the continuity of business while issues are being resolved.

When it comes to building trust, the best thing financial services firms can do is bolster their cyber risk programs. For these firms, mitigating cyber risk means more than monitoring a network — it means assessing vendor security and the operational impact of third and fourth parties as well.

 

2017 Scottrade Data Breach 

What happened

On March 31, 2017, a security researcher noticed a cache of unencrypted consumer information from Scottrade Bank, the banking arm of Scottrade Financial Services, on publicly accessible servers. The database contained names, addresses, and social security numbers of Scottrade contacts, as well as usernames and passwords for various employee accounts.

A few days later, it became clear that the data was uploaded in error by a third-party vendor, a professional services firm called Genpact.

The breach exposed the information of around 20,000 Scottrade customers.

How did the breach originate?

Genpact accepted the blame for the breach and chalked it up to a one-time mistake. However, careless employee behavior could indicate a lack of effective cybersecurity training and controls at the organization.

Scottrade was quick to point out that the breach originated through a third-party, but it’s possible that they had a certain amount of responsibility for the incident as well.

Key takeaways

Effective vendor risk management should be a component of any financial services firm’s cybersecurity efforts. When third parties have access to sensitive information, firms must ensure this data is being handled with care. In order to operate with the most up-to-date information on vendors’ cybersecurity postures, financial services firms should make use of continuous monitoring tools like BitSight Security Ratings.

2016 Bangladesh Bank Heist

What happened

In February, 2016, hackers used stolen credentials to send money transfer requests that supposedly originated from the central bank of Bangladesh. The requests were sent over the SWIFT banking network, a computer network operated by a consortium of banks that processes sensitive financial communications.

The requests were sent to the Federal Reserve Bank of New York. They specified that funds from Bangladesh Bank’s accounts at the Fed be transferred to various recipients in the Philippines, Sri Lanka, and other countries.

The attackers installed malware at Bangladesh Bank that kept the SWIFT system from working properly and alerting workers of the suspicious transactions. The malware also prevented the Federal Reserve Bank of New York’s inquiries into the transactions from getting through.

As a result, the Fed went ahead and processed the transactions, sending $81 million USD to overseas accounts.

How did the breach originate?

Bangladesh bank was breached and malware was placed on their system to prevent employees from discovering the fraudulent transactions before it was too late. Their SWIFT access credentials were also stolen.

SWIFT was not breached directly, but the system connects thousands of banks around the world. An attack on one bank in the SWIFT network could potentially have ripple effects affecting any other bank. In fact, the system has been used in a series of other attempted thefts.

Key Takeaways

The number one priority for banking and  financial services firms is to protect their own IT systems. Information security in the banking and financial industry should not only meet but exceed regulatory requirements and take into account the latest threat intelligence.

However, focusing on internal security alone is not enough. Comprehensive financial services risk management programs should also focus on third and fourth parties who have access to sensitive information or resources and the risk they pose to the organization. In addition, the security of systems and applications that connect firms to other organizations should not be taken for granted.


Don’t let “one-time-mistakes” lead to data breaches. Learn more about building a cyber risk-aware culture in your organization.

New Call-to-action

Suggested Posts

FFIEC IT Handbook Updates: Business Continuity Is 2020 Focus

In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...

READ MORE »

Cloud outsourcing poses new challenges for regulators and Financial Services

Cyber risk and regulatory compliance are two sides of the same coin in the Financial Services sector. Together, they spur Financial Services companies to take action to protect customers, their business and the global financial ecosystem...

READ MORE »

Financial services in Asia Pac face regulatory driven scrutiny of cyber risk management

The evolution of the technology environment and related security threats is so fast paced it often seems businesses and regulators are playing an endless game of catch-up.

READ MORE »

Subscribe to get security news and updates in your inbox.