Data Security Knowledge Base
The Top 10 FinServ Data Breaches
Consumers expect banks and other financial services companies to provide an expert level of security when it comes to their sensitive data, and rightfully so. These companies possess a wealth of personally identifiable information (PII) and payment card industry (PCI) data, such as social security numbers, credit card numbers, birthdates, addresses, phone numbers, credit scores, and more. With this data, cyber criminals can open up bank and credit card accounts, file tax returns, and spend your every penny.
Over the years, some of the biggest data breaches have involved financial service providers, from banks and payment processing companies to loan providers and credit reporting bureaus. In fact, the most recent financial services data breach at Equifax affected over 100 million people. Here are the top 10 FinServ data breaches, listed from smallest to largest in terms of the number of individuals affected:
10. CitiFinancial: 3.9 million accounts
In 2005, CitiFinancial, a subsidiary arm of Citigroup, reported that a box of computer tapes sent over United Parcel Service (UPS) was lost. The tapes had sensitive information, including names, social security numbers, addresses, payment histories, and account numbers, on 3.9 million customers, both current and former, who had applied for personal loans.
9. Educational Credit Management Corp.: 3.3 million accounts
Student loan company Educational Credit Management Corp. fell victim to a data breach in 2010 when their “portable media” was stolen. The enterprise reported that the theft affected 3.3 million people. The breach did not involve financial or banking information, though it did include social security numbers.
8. CheckFree Corp.: 5 million customers
In 2009, electronic bill payment service provider CheckFree Corp. was hit by cybercriminals who hijacked and redirected its site traffic to a malicious site instead. At least 5 million customers logged in with their credentials or enrolled in the fraudulent site to attempt to pay bills. The affected accounts could be much higher than 5 million as CheckFree had 42 million customers who used the site at the time of the breach.
7. Data Processors International: 8 million credit card numbers
In 2003, Data Processors International sought the help of the FBI and the Secret Service after a hacker breached their security systems and stole as many as 8 million credit card numbers. Around 2.2 million were MasterCard-issued credit cards, while 3.4 million were issued by Visa. However, while credit card numbers were stolen, the hacker was not able to steal personal information, such as social security numbers, telephone numbers, names, and addresses.
6. Korea Credit Bureau: 20 million South Koreans
An employee of the Korea Credit Bureau, which offers fraud detection and risk management services, secretly copied databases containing customer details in 2014. Most of the victims were customers of KB Kookmin Bank, Nonghyup Bank, and Lotte Card, and high-level managers at the three companies offered to resign. Identification numbers, credit card numbers, and addresses were stolen from 20 million victims, which represented a whopping 40% of South Korea’s entire population at the time.
5. CardSystems Solutions, Inc.: 40 million credit card accounts
In 2005, MasterCard reported that a hacker had accessed CardSystems Solutions Inc.’s computer network and compromised 40 million credit card numbers—14 million of which were issued by MasterCard.
CardSystems Solutions Inc., a third-party payment processor, confirmed the “security incident” and said that a hacker was able to put malicious code on their network and thus access their files. At the time of the breach, the company was processing at least $15 billion in credit card transactions yearly and had at least 100,000 small businesses as clients.
4. JPMorgan Chase: 76 million households + 7 million small businesses
In 2014, JPMorgan Chase, the largest U.S. bank, reported a data breach that affected 7 million small businesses and 76 million households. Initially, the bank had claimed that only a million accounts were affected in the breach, which was detected a month after its initial intrusion. The bank's officials also assured customers that no financial data was compromised—only names, phone numbers, e-mails, and addresses of account holders. While the JP Morgan data breach could have been much worse, it shattered the illusion that bank security was nearly infallible.
While no financial information was leaked, the hackers were able to get into the bank's systems and obtain a list of applications and programs that the bank was using. This, in turn, could provide them with new points of entry to exploit later as each application has its own vulnerabilities.
3. TRW Information Systems and Sears: 90 million individuals
This next giant finserv data breach is a throwback. In 1984, somebody stole a credit file password to TRW Information Systems that allowed access to the credit histories of 90 million people. The password was stolen from Sears and posted on an electronic bulletin board where other people could access it. The files contained names, addresses, birth dates, credit limits, and social security numbers, and could be used to get credit card numbers. It took TRW a month to plug the breach.
2. Heartland Payment Systems: 130 million customers
Heartland Payment Systems is a payment processing firm that takes care of at least 11 million transactions daily from over 275,000 business locations in the country. In a year, the company is responsible for around $80 billion in transactions. It was the 6th biggest payment processor in the United States, according to a Nilson Report in 2014.
In 2008, Heartland Payment Systems reported that their systems had been hacked. The attack affected around 130 million customers and multiple credit card types. According to ComputerWorld, the company spent around $140 million to deal with the massive breach: $60 million to settle with Visa, $3.5 million to settle with American Express, and legal fees amounting to at least $26 million. In addition, $42.8 million was earmarked for potential settlements and litigation in the future.
1. Equifax, Inc.: 143 million accounts in the US and 400,000 in the UK
Equifax recently reported that as many as 400,000 British accounts and 143 million U.S. accounts were compromised in a data breach. The credit reporting firm disclosed that the data breach involved names, social security numbers, birthdates, telephone numbers, and email addresses. In addition, the hackers stole the credit card numbers of more than 209,000 consumers. The data breach, caused by an unpatched Apache Struts vulnerability, started in mid-May but was not detected until July 29.
This latest breach resulted in the CEO, CSO, and CIO all stepping down and many customers filing lawsuits against the company. The biggest long-term impact it may result in could be a change in the way courts respond to the damage that data breaches cause their victims.
Bonus: Two more data breaches affecting more than a million people
Countrywide Financial Corp.: 2 million applicants
In 2008, a former employee of Countrywide Financial Corp. was arrested for allegedly stealing and selling customer information on the company's 2 million mortgage loan applicants. The former employee was a senior financial analyst and was able to secure up to $70,000 in profits selling the data. The rogue ex-employee downloaded the customer data in installments, stealing around 20,000 customer records per week for two years.
Global Payments Inc.: 1.5 million customers
In 2012, Global Payments Inc., a company that processes card transactions, warned 1.5 million customers that their debit and credit card numbers might have been compromised in a data breach. The breach affected all major credit card brands, though, according to the company, cardholder names, social security numbers, and addresses were not compromised.
While the affected cardholders represented only a small fraction of the 1 billion cardholders in the United States, Global Payments was responsible for about $167 billion of credit card transactions in the fiscal year before the hack. To contain and correct the data breach, the company reportedly paid nearly $100 million: $60 million to investigate and remediate the breach, $35.9 million for fines and fraud losses, and other charges. It was also offset $2 million in insurance recoveries.