Data is the lifeblood of many modern organizations – and firms in the financial sector are a prime example. As transactions, communications, and operations shift online, safeguarding this data becomes more critical than ever.
However, the financial landscape is riddled with cyber incidents, casting doubt over the security protocols of many organizations. According to the IBM Cost of a Data Breach Report 2023, financial institutions lose approximately $5.8 million per breach – 28% higher than the global average.
SMBs find themselves particularly vulnerable, with their limited resources compared to larger corporations. These entities face potentially devastating consequences in the wake of data breaches.
This article will delve into some significant financial data breaches of the year – from the global catastrophe of the MOVEit Transfer software exploitation, to the ransomware attack on MCNA Insurance.
2023 Data Breaches in the Financial Industry
One of the biggest data breaches of the year has been the mass exploitation of MOVEit Transfer software, which affected consumer organizations globally – including some US financial institutions.
A zero-day vulnerability was discovered in MOVEit Transfer, a managed file transfer service used by thousands of organizations. The vulnerability allowed attackers to raid MOVEit Transfer services and steal data stored within.
Some US-based organizations directly affected by the breach include:
Colorado Department of Healthcare Policy and Financing confirmed the data of over 4 million individuals was accessed due to the vulnerability, including Medicaid and Medicare information, contact information, health insurance information, clinical and medical information, and more.
Genworth Financial, a life insurance agency, had at least 2.5 million records exposed in the breach, including names, social security numbers, dates of birth, policy numbers, and residential addresses. While Genworth’s own systems had not been compromised, the attack stemmed from information it shared with MOVEit.
Nonprofit organization Teachers Insurance and Annuity Association America found its systems compromised, with data of over 2 million clients’ consumers exposed.
Dental insurer MCNA suffered a ransomware attack that exposed the personal data of over 9 million Americans between late February and early March. The attackers stole personal information including health insurance plans, Medicaid IDs, financial information, social security numbers, and more.
The Lockbit ransomware group claimed responsibility after MCNA refused to pay the $10 million ransom, and leaked 700GB of stolen data on their dark web leak site.
US debt collector NCB Management revealed it suffered a breach that exposed the financial data of nearly 1.1 million people in early February. The company notified affected users that financial account numbers or payment card numbers, in combination with security and access codes, passwords, or PINs for the account were accessed.
The company hinted it paid the ransom, informing affected customers that the unauthorized third party no longer had access to any of the data.
Australian consumer lender Latitude Financial revealed that over 14 million customer records, including driver’s license and passport numbers, and financial statements, were stolen in March.
Cyber-attackers used privileged credentials from a third-party vendor to access Latitude Financials’ systems and steal the data. The firm has so far paid $46 million in customer remediation costs, and is currently facing a class action lawsuit.
Over 800,000 customers of Michigan-based financial services provider Flagstar Bank have had their personal information stolen due to a breach at third-party vendor Fiserv, a payment processing and mobile banking services provider.
While Fiserv’s breach was tied to the MOVEit vulnerability, this is the third cyber incident Flagstar Bank has suffered since March 2021 when a ransomware group accessed its file transfer service. The second incident occurred in June 2022, with the data of over 1.5 million customers compromised.
The Effects of Data Breaches on SMBs
When financial institutions fall victim to breaches, the ripple effect is felt across all stakeholders. With the rapid digitalization of most financial services, cybersecurity need to become a top priority – because when breaches occur, the aftermath can be severe:
Financial Losses: As stated previously, the average cost of a data breach in the financial industry is nearly $6 million. For SMBs/SMEs, such costs could potentially lead to bankruptcy.
Loss of Trust: Consumers prioritize the security of their personal data when choosing financial institutions. A breach can erode this trust, leading to a loss of customers and tarnishing the business’s reputation.
Regulatory Repercussions: Breaches can result in regulatory fines and lawsuits – as seen with the Latitude Financial breach – adding to the financial and operational burdens of SMBs.
Operational Disruption: Post breach, businesses often need to halt their operations temporarily to assess and rectify the damage. This disruption can lead to missed opportunities and stalled revenue streams.
Increased Insurance Premiums: Companies that suffer data breaches are often perceived as high-risk by insurers, leading to higher insurance premiums for data breach coverage.
Strained Business Relationships: Partners, suppliers, and other stakeholders might reconsider their association with a breached company, fearing collateral damage or associational harm.
Safeguard Against Data Breaches with a Strong Cybersecurity Framework
The cyber events of 2023 serve as a stark reminder of the challenges ahead, but with resilience, innovation, and a commitment to security, the financial sector can navigate these turbulent waters and ensure a safer future for all stakeholders.
A comprehensive cybersecurity framework needs to address factors – the threat landscape, human error, and vendor trustworthiness – to ensure the holistic protection of an organization’s digital assets.
The security specialists at ITGurus can design, implement, and manage the cybersecurity tools and solutions needed to keep your business secure against the multitude of threats, and complex labyrinths of regulatory compliance. Trust us to put your safety first.
