Denial of Service and use of stolen credentials on banking applications remain common. Compromised email accounts become evident once those attacked are filtered. ATM Skimming continues to decline.
Top 3 patterns– Web Applications, Privilege Misuse and Miscellaneous Errors represent 72% of breaches
Threat actors– External (72%), Internal (36%), Multiple parties (10%), Partner (2%) (breaches)
Actor motives– Financial (88%), Espionage (10%) (breaches)
Data compromised– Personal (43%), Credentials (38%),Internal (38%) (breaches)
Illustrative breaches
- Educational Credit Management Corp.
- Checkfree Corp.
- Data Processors International
- Korea Credit Bureau
- Cardsystems Solutions, Inc.
- JP Morgan Chase
- TRW Information Systems and Sears
- Heartland Payment Systems
- Equifax Inc.
- Countrywide Financial Corp.
- Global Payments Inc.
- First American Financial Corp.
- BlackRock Inc.
- North Country Business Products
- Coinmama
- Ascension
- Desjardins Data
- Dow Jones
- Heartland Payment Systems
- TJX Companies, Inc.
- Bupa
- Health Alliance Plan
- Wonga
- Tesco Bank
- Managed Health Services (MHS) of Indiana
- EyeSouth Partners
- Advent Health
- Spectrum Health Lakeland
- Milestone Family Medicine
- State Farm insurance
- LimeLeads
- Pacific Specialty Insurance Company
- Generate, a savings scheme provider in New Zealand
- Joker’s stash
- Total Quality Logistics (TQL)
- Trident Crypto Fund
- Key ring
- Fifth Third Bank
- Paay
- Grace & Porta
- Coinsquare
- Reserve trust
- Banxico
- Santa Ana
- First American Financial Corp.
- Experian
- Mitshubishi Electric
- Liquid Cryptocurency Exchange
- TronicsXchange
- Origin Protocol
- Americold
- Vertafore
- Luxottica
- Campari Group
- GEO Group
- Folksam
- Mattel
- Japan Post Trading Service Co.
- The Hanover Chamber of Crafts
- Ansa McAl
- Ardonagh Group
- Development Bank of Seychelles
- Arthur J Gallegher and Co.
- Virtual Mail Room
- Vertafore
- Postbank
- Absa
- Desjardins
- Juspay
- Upstox
- Debt-IN
- Pine Labs
- Morgan Stanley
- Clear Balance
- Debt-IN
- BEC Data
- Robinhood trading platform
- CDSL
- Punjab National Bank
- Neiman Marcus Group
- Lion Street
- Banco Pichincha
- Missouri Pension Fund
- Crypto.com
- Gitterman Wealth Management, LLC
- Cape Cod Five Cents Bank
- Morley company
Data breach – maximum fines and damages
- Equifax: 2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered. In July 2019 the credit agency agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s “failure to take reasonable steps to secure its network.” $300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB. The settlement also requires the company to obtain third-party assessments of its information security program every two years. “Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.” Equifax had already been fined £500,000 [~$625,000] in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act 1998.
- Tesco Bank: Tesco Bank, the retail banking arm of the UK supermarket chain, was hit with a £16.4 million ($21.2 million) fine in 2018 by the UK’s Financial Conduct Authority (FCA) after just under $3 million was stolen from 9,000 customer accounts in 2016. The FCA accused Tesco’s of “deficiencies” in the design of its debit card, financial crime controls and in its Financial Crime Operations Team.
- Joker’s Stash: There is a fresh database of credit and debit cards issued by Indian banks available for sale on the Dark Web. This database includes payment records of 461,976 cards, 98 per cent of which were from the “biggest Indian banks”.
- Trident Crypto Fund: A data breach resulted in a publication of over a quarter of a million customer usernames and passwords online.The personal data of 266,000 registered Trident Crypto Fund users was illegally accessed when a database was compromised. The hackers responsible for the attack decrypted and published a dataset of all login id’s and passwords.
- Key Ring: A creator of a digital wallet app widely used across North America, has exposed 44 million records which includes ID’s, charge cards, loyalty cards, gift cards medical marijuana ID cards and personal information, researchers say.
Enforcements
| Name | Fine | Authority |
| N26 | EUR 50,000 | Data Protection Authority of Berlin |
| SERGIC | EUR 4,00,000 | French Data Protection Authority |
| UNICREDIT BANK SA | EUR 1,30,000 | Romanian National Supervisory Authority for Personal Data Processing |
| ACTIVE ASSURANCES | EUR 1,80,000 | French Data Protection Authority |
| PWC Business Solutions | EUR 1,50,000 | Hellenic Data Protection Authority |
| DSK Bank | EUR 5,11,000 | Data Protection Commision of Bulgaria |
| Raiffeisen Bank SA | EUR 1,50,000 | Romanian National Supervisory Authority for Personal Data Processing |
| Iberdrola Clientes | EUR 8,000 | Spanish Data Protection Authority |
| Deutsche Wohnen SE | EUR 14,500,000 | Data Protection Authority of Berlin |
| Menzis | EUR 50,000 | Dutch Supervisory Authority for Data Protection |
| UWV | EUR 9,00,000 | Dutch Supervisory Authority for Data Protection |
| Jocker Premium Invex | EUR 6,000 | Spanish Data Protection Authority |
| Linea Directa Aseguradora | EUR 5,000 | Spanish Data Protection Authority |
| Social Insurance Services of the Ministry of Labor, Welfare and Social Insurance | EUR 9,000 | Cyprian Data Protection Commissioner |
| Allgemeine Ortskrankenkasse | EUR 1,240,000 | Data Protection Authority of Baden-Wuerttemberg |
| Centro de Investigación y Estudio para la Obesidad, SL | EUR 50,000 | The Spanish Data Protection Authority |
| Securities America Inc. | USD 125,000 | The Financial Industry Regulatory Authority (FINRA), USA |
| Residential Mortgage Services Inc. | USD 1.5 million | New York Department of Financial Services (NYDFS) |
| Kutxabank SA | EUR 60,000 | Spanish Data Protection Authority (AEPD) |
| First Unum Life Insurance Company & Paul Revere Life Insurance Company | USD 1.8 million | New York State Department of Financial Services |
| American Express Services Europe Limited | GBP 90,000 | Information Commissioner’s Office (ICO), UK |
| Telepass Spa | EUR 2 million | Italian Competition Authority |
| National Bank of Greece | EUR 20,000 | Hellenic Data Protection Authority (HDPA) |
| Banco Bilbao Vizcaya Argentaria, S.A. | EUR 120,000 | Spanish Data Protection Authority |
| PRA Iberia S.L. | EUR 60,000 | Spanish Data Protection Authority |
