Finance and Insurance

Denial of Service and use of stolen credentials on banking applications remain common. Compromised email accounts become evident once those attacked are filtered. ATM Skimming continues to decline.

Top 3 patterns– Web Applications, Privilege Misuse and Miscellaneous Errors represent 72% of breaches

Threat actors– External (72%), Internal (36%), Multiple parties (10%), Partner (2%) (breaches)

Actor motives– Financial (88%), Espionage (10%) (breaches)

Data compromised– Personal (43%), Credentials (38%),Internal (38%) (breaches)

Illustrative breaches

  • Educational Credit Management Corp.
  • Checkfree Corp.
  • Data Processors International
  • Korea Credit Bureau
  • Cardsystems Solutions, Inc.
  • JP Morgan Chase
  • TRW Information Systems and Sears
  • Heartland Payment Systems
  • Equifax Inc.
  • Countrywide Financial Corp.
  • Global Payments Inc.
  • First American Financial Corp.
  • BlackRock Inc.
  • North Country Business Products
  • Coinmama
  • Ascension
  • Desjardins Data
  • Dow Jones 
  • Heartland Payment Systems
  • TJX Companies, Inc.
  • Bupa
  • Health Alliance Plan
  • Wonga
  • Tesco Bank
  • Managed Health Services (MHS) of Indiana
  • EyeSouth Partners
  • Advent Health
  • Spectrum Health Lakeland
  • Milestone Family Medicine
  • State Farm insurance
  • LimeLeads
  • Pacific Specialty Insurance Company
  • Generate, a savings scheme provider in New Zealand
  • Joker’s stash
  • Total Quality Logistics (TQL)
  • Trident Crypto Fund
  • Key ring
  • Fifth Third Bank
  • Paay
  • Grace & Porta
  • Coinsquare
  • Reserve trust
  • Banxico
  • Santa Ana
  • First American Financial Corp.
  • Experian
  • Mitshubishi Electric
  • Liquid Cryptocurency Exchange
  • TronicsXchange
  • Origin Protocol
  • Americold
  • Vertafore
  • Luxottica
  • Campari Group
  • GEO Group
  • Folksam
  • Mattel
  • Japan Post Trading Service Co.
  • The Hanover Chamber of Crafts
  • Ansa McAl
  • Ardonagh Group
  • Development Bank of Seychelles
  • Arthur J Gallegher and Co.
  • Virtual Mail Room
  • Vertafore
  • Postbank 
  • Absa
  • Desjardins 
  •  Juspay

Data breach – maximum fines and damages

  • Equifax:

2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered.

In July 2019 the credit agency agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s “failure to take reasonable steps to secure its network.”

$300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB. The settlement also requires the company to obtain third-party assessments of its information security program every two years.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”

Equifax had already been fined £500,000 [~$625,000] in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act 1998.

  • Tesco Bank:

Tesco Bank, the retail banking arm of the UK supermarket chain, was hit with a £16.4 million ($21.2 million) fine in 2018 by the UK’s Financial Conduct Authority (FCA) after just under $3 million was stolen from 9,000 customer accounts in 2016. The FCA accused Tesco’s of “deficiencies” in the design of its debit card, financial crime controls and in its Financial Crime Operations Team.

  • Joker’s Stash 

There is a fresh database of credit and debit cards issued by Indian banks available for sale on the Dark Web. This database includes payment records of 461,976 cards, 98 per cent of which were from the “biggest Indian banks”.

  • Trident Crypto Fund

A data breach resulted in a publication of over a quarter of a million customer usernames and passwords online.The personal data of 266,000 registered Trident Crypto Fund users was illegally accessed when a database was compromised.  The hackers responsible for the attack decrypted and published a dataset of all login id’s and passwords.

  • Key Ring

A creator of a digital wallet app widely used across North America, has exposed 44 million records which includes ID’s, charge cards, loyalty cards, gift cards medical marijuana ID cards and personal information, researchers say.

Enforcements

NameFineAuthority
N26EUR 50,000Data Protection Authority of
Berlin
SERGICEUR 4,00,000French Data Protection Authority
UNICREDIT BANK SAEUR 1,30,000Romanian National Supervisory
Authority for Personal Data
Processing
ACTIVE ASSURANCESEUR 1,80,000French Data Protection Authority
PWC Business SolutionsEUR 1,50,000Hellenic Data Protection Authority
DSK BankEUR 5,11,000Data Protection Commision of
Bulgaria
Raiffeisen Bank SAEUR 1,50,000Romanian National Supervisory
Authority for Personal Data
Processing
Iberdrola ClientesEUR 8,000Spanish Data Protection Authority
Deutsche Wohnen SEEUR 14,500,000Data Protection Authority of
Berlin
MenzisEUR 50,000Dutch Supervisory Authority for
Data Protection
UWVEUR 9,00,000Dutch Supervisory Authority for
Data Protection
Jocker Premium InvexEUR 6,000Spanish Data Protection Authority
Linea Directa AseguradoraEUR 5,000Spanish Data Protection Authority
Social Insurance Services of the
Ministry of Labor, Welfare and
Social Insurance
EUR 9,000Cyprian Data Protection
Commissioner
Allgemeine OrtskrankenkasseEUR 1,240,000Data Protection Authority of
Baden-Wuerttemberg
Centro de Investigación y Estudio
para la Obesidad, SL
EUR 50,000The Spanish Data Protection
Authority
%d bloggers like this: