Financial sector cyber attacks are becoming a problem as many institutions have succumbed to various forms of cyber threats. These attacks incur hefty financial costs and undermine the trust and credibility of these firms. This article aims to cover 10 cyber attacks in the financial sector and their enduring impact.

1. JPMorgan Chase (2014)

In 2014, vicious cyber criminals hacked into JPMorgan Chase and paralyzed their systems as well as compromised sensitive information regarding 83 million users, including the names, phone numbers, and emails of 76 million households and 7 million small businesses. Fortunately, account numbers, passwords, and social security numbers were securely encrypted.

In this incident, hackers gained access to JPMorgan’s entire network as well as over 90 servers containing customers’ contact information and the bare minimum of 2FA-protected account numbers and social security numbers. Striking security oversights were uncovered when it became apparent that the servers used for the attack lacked 2FA.

They were subsequently adopted and followed after the cyberattack:

• Enhanced Business Information Security Policies: The bank sought for greater protective measures by increasing the annual cyber security expenditure from 250 million to 500 million dollars.

• Strengthened Business Information Security Policies: Significant changes were made to all infrastructural policies of the bank. All critical servers were equipped with 2FA and other basic security measures, including heightened IT gatekeeping within the corporate fortress.

• Tightly Controlled External Vendor Policies: JPMorgan, together with the regulators, understood the relevance of the company’s posture towards cybersecurity and started paying attention to third-party vendors with vital fundamental prerequisites. Benjamin M. Lawsky, New York’s then-leading financial regulator, proposed a cybersecurity vendor audit guarantee legislation that demanded banks to obtain cybersecurity check assurance from their vendors.

It was evident how cyber attacks in the financial sector evolved with time and the endless need for adaptive monitoring and strong internal controls in conjunction with supervision over external business affiliations concerning information guardianship as the coronavirus pandemic escalated.

2. Bangladesh Bank Heist (2016)

In February 2016, hackers executed the Central Bank of Bangladesh’s most advanced financial cyber attack, siphoning off $81 million through the Philippines using the SWIFT systems credentials they hacked into.

The attackers gained access to Bangladesh Bank’s network video surveillance system and implemented their custom-designed malware for the SWIFT Alliance Access messaging software. This allowed them to override software restrictions and send payment instructions to the Federal Reserve Bank of New York, routing the payment to their accounts. One of the transactions that had turned out to be misspelled had stopped them from losing more money.

With this incident, SWIFT has provided more focus on the vulnerabilities that are being exposed in the global financial messaging system. SWIFT was quick to act by implementing more security rules for their users and urging the bank to implement features that will strengthen their cybersecurity measures. The incident also showed how lacking the financial entities were when it came to protecting their organization from breaches.

3. Tesco Bank (2016)

In November of 2016, Tesco Bank became a real-life example of why financial institutions need robust digital security infrastructure implemented. The compromised customer accounts became part of one of the most famous cyber attack cases in history. For almost two days, operators exploited vulnerabilities within the debit card system of the bank, aided by practically nonexistent safeguards against financial crimes.

As it turned out, this attack cost Tesco Bank £2.5 million in reimbursed funds to approximately 9 thousand customers. Unfortunately for them, the damages cost Tesco Bank more than £2.5 million. Besides these critical financial losses, Tesco Bank received an indisputably detrimental and vague mark they are now remembered by from the FCA; a fine of £16.4 million was issued to them as well.

These types of incidents greatly demonstrate how underappreciated as well as utterly weak cybersecurity measures and, more importantly, structure are in the finance sector. These security voids can lead to severe financial repercussions and fines. Any exposed vulnerabilities arguably put an institution’s reputation, financial resources, and trustability against customer scrutiny at risk.

4. Equifax (2017)

In 2017, Equifax, one of the largest credit reporting companies in America, was a victim of a data breach that affected approximately 147.9 million Americans. This marks a significant moment in the history of financial sector cyber attacks.

This particular breach was a result of an insufficiency in the web application framework struts of Apache. The vulnerability in question, which Equifax was using CVE-2017-5638, was flagged by the Apache Software Foundation in March 2017, where it was then later patched, but not before causing damage.

Equifax was also a beneficiary of not having these updates to the software installed. Attackers were able to exploit these vulnerabilities to breach Equifax‟s network during the middle of May in 2017, staying undetected till the end of July.

Due to this breach, critical data of almost 145.5 million citizens were compromised, which included their full names, social security numbers, birth dates, residential addresses, state IDs, and credit card information for over 200,000 consumers.

Due to these breaches, Equifax became the target of more than 57 consumer anger and class action lawsuits. Equifax did not respond in time and was left facing ridicule after remediating the situation. As a result, Equifax’s CISO had to resign. Subsequently, Equifax faced a surge of legal and financial scrutiny in place of other consequences.

This involved implementing sanctions, stringent cuts from governing bodies, then Equifax was sued for compensatory damages to affected users and other vulnerable victims in the range of 575 to 700 million dollars.

5. Bank of Chile (2018)

The second largest bank in Chile, Banco de Chile, suffered a strategic cyberattack in May 2018, resulting in the theft of $10 million. The cybercriminals infiltrated the internal systems of the bank by using malware, which affected approximately 9000 workstations and servers.

This diversion enabled them to utilize the SWIFT international payment system, starting fake transactions that directed funds to various accounts in Hong Kong.

To counter the attacks, the Banco de Chile cut the access to thousands of compromised terminals as part of their security protocols to prevent further unauthorized access. They added that customer accounts at the bank remained unaffected during the whole process. The investigations reported that the attack was coming from a sophisticated international group based in Eastern Europe or Asia.

This has been one of the major cyber security incidents that alarmed the Banks in the entire Latin America, motivating them to rethink their cyber security policies. Other financial institutions began adopting these policies, considering no one would be able to defend against cyber attacks on the financial industry.

Since this incident, cooperation with international cyber security specialists has increased significantly, promoting alignment with international frameworks along with stronger measures to prevent further attacks on the financial industry.

6. Capital One (2019)

A major financial company, Capital One, suffered a data breach in 2019 that had dire consequences and resulted in the exposure of the personal and financial information of more than a hundred million customers. This is one of the many examples the industry has yet to learn from, this time in regard to inaccurate cyber security measures within the finance industry.

Thompson Paige, an ex-employee of Amazon Web Services (AWS), was responsible for this breach. She bypassed Capital One’s Cloud firewall by gaining access through the misconfigured perimeter firewall and extracting sensitive data from the AWS servers.

Including names, addresses, dates of birth, and social security numbers, she also had authorized access to bank account information extracts of over a hundred million credit applicants.

The data put at risk was a lot more than just private information; it contained vital financial data which increased public risk and trust in businesses to new impossible heights. Due to this data threat, Capital One faced repercussions where the Office of the Comptroller of the Currency (OCC) imposed an $80 million fine.

The bank was observed in this case failing to put proactive risk evaluation methods in place because they allowed their IT infrastructure to move to the cloud, which severely disabled the security measures put in place to network and data loss prevention which led to data loss.

7. First American Financial Corp (2019)

In May 2019, one of the biggest title insurance and real estate companies, First American Financial Corporation, suffered a massive data breach when sensitive customer documents tied to vulnerabilities in EaglePro were leaked due to a flaw in one of the company’s applications, leading to approximately 885 million users gaining access to the information. Users were able to view documents arbitrarily simply by changing the hyperlinks attached to them.

The exposed customer records contained sensitive material, including images of driver’s licenses, social security numbers, bank account details, and tax and mortgage documents. Such an event poses an incredible identity fraud risk and showcases the massive gaps in data security within the financial sector.

As a result of the incident, the U.S. SEC brought charges against First American, citing the inability to sustain reasonable cybersecurity disclosure controls.

During the SEC investigation, it came to light that the firm was aware of the gap that led to the breach due to some pre-existing internal systems months prior to the incident, which highlighted the gap. Consequently, First American settled the dispute by consenting to a cease-and-desist order and paying a sum of $487,616 as a penalty.

Furthermore, First American has to pay a $1 million fine levied by the New York State Department of Financial Services in November 2023 due to the regulatory controversies pertaining to cybersecurity issues for the breach in question.

This illustrates the dangers associated with cyber warfare in the financial world and simply highlights that access to information pertaining to customers should be guarded far more fiercely.

8. Desjardins Group (2019)

In 2019, Canada’s largest cooperative, Desjardins Group suffered a considerable data breach when an insider threat compromised personal data of about 4.2 million members. This incident remains one of the most significant financial sector cyber attacks in Canada.

For at least 26 continuous months, the employee collected and leaked sensitive data, including names, dates of birth, soc. insurance numbers, addresses, phone numbers, emails, and information about banking habits and products. The breach concerned both individual and corporate members, which means the private information of millions was exposed.

Immediately after the breach, Desjardins took extensive and even more severe steps to reinforce security. These included but were not limited to:

• Creation of a Security Office: The company hired new personnel who were responsible for creating and implementing security policies for the entire organization, which included safeguarding the assets and personal information of members.

• Comprehensive Security Upgrades: The company gave a heightened budget for security and, among other things, installed modern monitoring systems along with breach detection systems, ensuring no further breaches were attempted.

• Identity Protection Services: In conjunction with Equifax, Desjardins has established a 5-year credit monitoring deal, thereby enabling the members to recover identity costs up to $50,000, alongside asset protection and comprehensive services through the Desjardins Protection Plan.

The financial impact of the breach was $108 million due to the protective measures and services enacted upon members after their breach.

9. Reserve Bank of New Zealand (2021)

In January 2021, memory may serve, the Reserve Bank of New Zealand was subject to a severe cyber assault. The Hackers gained access to sensitive data using Accellion’s File Transfer Application (FTA), a file-sharing application used by the bank. Hackers had access to sensitive data prior to employing the application.

This attack demonstrates how there has to be a high level of cybersecurity, especially within the finance sector. In response, RBNZ acted quickly to secure it and to prevent additional breaches by taking the siphoned system offline. Additionally, they started an external audit to review their cyber security measures and seek ways to bolster them.

The event demonstrates how thorough screening of vendors to ensure that they maintain high levels of security is a requirement. RBNZ have demonstrated that organizations need to constantly revise their cyber security policies the cyber world is full of threats.

10. Robinhood (2021)

A well known trading application, Robinhood, was breached in November 2021 with over 7 million user accounts compromised due to a security leak. It is well known that social engineering methods are on the rise especially in the financial services world.

Social engineering hacks resulted in the deception of a Robinhood customer service representative who gave an unscrupulous third party access to important account info. This breach exposed the email account details of around 5 million users, which included 2 million full names as well. Additionally, more sensitive information, such as dates of birth and zip codes were also exposed for a smaller pool of users.

Robinhood, on the other hand, sought to look as if they were taking the issue seriously by claiming they focus on security and transparency, even though this was not the case. The company claimed to have enforced stricter policies after the attack in relation to zero trust principles and stronger user verification procedures.

Conclusion

Financial sector cyber attacks remain crucial threats to global institutions, customers, and the integrity of data security. By analyzing these 10 incidents and their repercussions, organizations can strategically fortify their defenses against potential future threats in the financial domain.

Featured Image by FreePik

About The Author