Data Breach Bullseye - Part 2

This series is tracking the impact of last year’s record number of sensitive data breaches on three of the most vulnerable industries prone to cyberattacks: healthcare, financial services, and education. Last week, we uncovered why healthcare was the number one target for cyberattacks, which you can read here.

In today’s post, we’ll explore the full extent of 2021’s attacks on the financial services industry and why it remains such a high-value target.

Understanding the impact of data breaches in financial services

When we hear how there’s risk in any financial investment, we usually aren’t thinking in terms of having our information — and possibly our money — stolen. But in 2021, that’s exactly what happened to nearly 20 million people as the financial services sector found itself in the unenviable position of being the second-most targeted industry for cybercrime. In fact, the industry was the target for 15% of all cyberattacks in 2021, with 82% of those attacks involving sensitive data.

According to the Identity Theft Resource Center’s 2021 Annual Data Breach Report, last year saw a 200% increase in the number of data breaches reported by U.S.-based organizations (from 138 incidents in 2020 to 279 incidents in 2021) while the number of individuals impacted by data breaches increased six-fold (from 2.7 million in 2020 to 19.7 million in 2021).

Financial services ranked among the top targets for sensitive data breaches in 2021 including:

#2 for human and system insider errors
#3 for third-party/supply chain attacks
#4 for ransomware attacks
#5 for the most individuals impacted by sensitive data breaches

Financial services top attack vectors

It’s hard to think of an industry with more sensitive, high-value information than financial services. From Social Security and bank account numbers to credit card and even driver’s license information, the wealth of valuable sensitive data in the financial sector made it the second-most targeted industry for cybercrime in 2021. Sensitive data stolen from financial services organizations provides attackers with access to personally identifiable information (PII) that can lead to identity theft and fraud.

Analysis of the Identity Theft Resource Center’s (ITRC) notified Dashboard, a comprehensive database of publicly reported data breaches in the United States, showed a total of 199 financial services cyberattacks that compromised the sensitive data of more than 5.2 million people. These cyberattacks took advantage of both inadequately trained employee psychology, unpatched software flaws, and unsecured cloud environments.

Financial Services Sensitive Data Cyberattack Victims by Attack Vector

Attack Vector Individuals Impacted Total Incidents
Phishing, smishing, business email correspondence 2,336,739 73
Third party/supply chain 815,296 30
Ransomware 150,922 24
Malware 105,374 8
Unsecured cloud environment 131,913 1

Source: Identity Theft Resource Center notified database January 1-December 31, 2021

These patterns illustrate the frequency in which attackers used strategies like hacking, spoofing, and impersonation to extract social security numbers to be used as ransom. Since 45% of cyberattacks used email compromise methodologies in 2021, employers need to double-down on employee training to help them better identify malicious emails. Failure to do so may prove to be a handicap as the frequency of remote work increases.

The lifecycle of a financial services sensitive data breach was 73% longer than a non-sensitive data breach in 2021. It also took 40% longer to detect and contain sensitive data incidents caused by internal actors versus external actors.

The cost of data breaches in financial services

Data breaches in the financial services industry cost organizations an average of $5.72 million per breach—the second highest among all industries in 2021. The sensitive nature of the data stolen from financial services organizations typically results in other major sources of revenue loss for businesses, including ransom payoffs, data recovery costs for victims, massive lawsuits from both regulatory bodies and individuals affected by data breaches, and business loss from public mistrust.

Top ten data breaches by the numbers

The top ten sensitive data breaches account for 63% of the industry’s total sensitive data privacy victims. The largest sensitive data breach occurred at a commercial bank via a supply chain attack that impacted the sensitive data of close to 1.5 million individuals.

Insurance carriers were involved in 6 of the top 10 data incidents. All of last year’s top breaches were cyberattacks engineered by external actors. The primary target was social security numbers in 9 out of the top 10 incidents, which largely occurred through compromised email credentials. Unlike other industries where ransomware was a predominant cyberattack vector, it only accounted for two of the financial industry’s top ten data breaches.

A proactive approach to data breach protection

The overall digital transformation that relies on cloud security and data movement across remote endpoints in a post-pandemic world means that cybersecurity threats to financial services organizations are not going anywhere anytime soon.

Smart organizations are prioritizing a proactive approach towards protecting sensitive data before attacks occur by automating the discovery, classification, and remediation of private information wherever it lives within their IT environment.

In part three of this series, we will cover 2021’s most lucrative data breaches in the Education sector.

Want to dig deeper?

Read more in our new report Financial Services Guide to Sensitive Data Breaches and visit www.spirion.com to learn about how to proactively protect your sensitive data and curb the cost of a data breach.

Download now