Global cybercrime is thriving. The 2023 UK
Cyber Security Breaches Survey found that over the last 12 months, 32% of businesses have experienced a data breach, with that number climbing to a stunning 69% for large businesses.
The financial sector is a popular target for cybercriminals, and
ranks second in the global cyber incident damage statistics. Now more than ever, financial institutions need to ensure that their data and systems are secure.
This article explores the nature of data breaches in the financial sector.
What is a data breach?
A data breach occurs when personal information is accessed, disclosed or lost without authorisation. This typically takes shape in one of two ways:
- Intentional breaches: Caused by malicious actors (e.g., cybercriminals, malicious insiders, hacktivists).
- Unintentional breaches: Caused by human error (e.g., misconfiguring cloud storage buckets, losing devices or forgetting to password-protect a database).
The types of sensitive data included in data breaches usually includes financial information, personal health information, intellectual property and/or personally identifiable information.
Most common types of data breaches for financial institutions
1. Weak security or stolen data
One of the most common types of data breaches is caused by weak security. According to Verizon’s Verizon 2023
Data Breach Investigations Report, 86% of breaches involve the use of compromised credentials. This can be caused by several factors: weak password protection, stolen devices, or criminals compromising sensitive information through social engineering attacks
are significant threats for financial institutions.
2. Social engineering
Cyber attacks like phishing make use of social engineering tactics in order to try to trick employees into providing access to sensitive information, help them bypass security measures or directly hand over sensitive data under the guise of a trusted contact.
This can take shape in the form of an email from the company’s CEO or a text message from a trusted company. In one of the biggest phishing scams to date, a man pled guilty to scamming Google and Facebook out of
over $100 million through a fraudulent business email compromise scheme.
3. Malware
Malware, often delivered via email, is an intrusive program created with ill intent. Once it has infected a computer, server or network, it propagates throughout the systems infrastructure and devices, often unnoticed for weeks. Forms of malware include
viruses, worms, trojan viruses, spyware, ransomware, adware or fileless malware.
4. Ransomware
Although ransomware is a form of malware, it deserves a separate mention due to the threat it poses in the financial sector. Criminals will encrypt data or whole systems, effectively denying an organisation access to their own data. In 2023, ransomware made
up
63% of attacks on financial institutions, a significant increase compared to only 18% the previous year. Most notably,
China’s ICBC was hit by a ransomware attack last year that disrupted trading in US Treasuries. The bank allegedly paid the ransom in order to regain access to its operations.
5. Distributed Denial-of-Service (DDoS)
Unlike the other types of threats listed here,
DDoS attacks are not hacks. During these attacks, customers are prevented from using the institution’s website by flooding the page with visitors. While this does not damage the website and is not a data breach in itself, DDoS attacks often result in the
loss of data or are a smokescreen for other malicious activities, such as data theft or cyber espionage. Recent research by
FS-ISAC and Akamai Technologies found that of all DDoS attacks globally between 2022 and 2023, 63% were targeted on financial services (with this number rising to a stunning 91% in APAC).