Cyber Attacks on Financial Institutions: A History

Cyber attacks on financial institutions are always in the headlines because they involve high sums of money and often make waves throughout a country’s economy.  

These attacks happen in different shapes and forms, but they almost always have in common the human factor. They count on human vulnerabilities to gain access.

Here’s a history of the worst cases in recent history, so we can analyze the vectors and see what lessons we can learn from them. 

Introduction

Obtaining immediate access to a bank account comes with a lot of benefits. Although financial institutions have some of the most sophisticated and mature security controls in all industries, cyber attacks on financial institutions are very recurrent.

According to F5 Labs’ statistics, password login and distributed denial of service (DDoS) have been the most common cyber attacks on financial institutions. Furthermore, the attackers are shifting their focus away from classic software exploits and toward softer targets such as password logins and APIs (which also act as logins).

So, the question isn’t whether or not your company will be attacked, but when. However, you can do the right thing for your company and your customers with careful planning. 

Without further ado, let’s go back in time and look at the worst financial cyberattacks in history to learn from past mistakes.

How to Antecipate Cyber Attacks Caused by Human Risk?

Visit our page dedicated to supporting Financial Services Institutions with solutions and case studies to provide a deeper understanding of how to mitigate human risk and avoid most of the main attack vectors used by cybercriminals. 

Five Biggest Cyber Attacks on Financial Institutions

Canadian Credit Union Breach

In 2019, criminals exposed the personal information of up to 4.2 million Desjardins Credit Union members. This information leak was an inside job carried out by a malicious IT employee who stole sensitive personal data. Home addresses, names, email addresses, and transaction records were among the data. Worst of all, it featured social insurance numbers from Canada.

Investigations discovered that the compromise had also affected 1.8 million non-Desjardins credit cardholders six months later. Authorities hit the bank with a bill for more than $100 million to rectify the breach, while a class-action lawsuit is still underway, adding to the amount of this cyber attack on a financial institution.

Capital One Customers' Records Exposed

In July 2019, Capital One, the United States’ fifth-largest credit card issuer, announced that a hacker gained access to the personal information of 106 million customers and applicants in the United States and Canada.

This cyber attack on a financial institution provided access to highly personal information about consumers and small businesses from 2005 through early 2019, including names, social security numbers, income, and dates of birth as of the time they applied for one of numerous credit card programs.

The 2016 SWIFT Cyber-Heist

The SWIFT heist, also known as the hack, was narrowly avoided becoming one of the world’s largest heists thanks to a misspelling. The unidentified assailants, who may be linked to North Korea, got away with $81 million, which isn’t insignificant.

The hacking of SWIFT had a long and winding path. It first traveled through a Bangladesh bank, then through a set of $10 secondhand routers that were not protected by a firewall

Because SWIFT was not separated from the banking network, the hackers could use bespoke malware to take control of a SWIFT messaging app. They then used the messaging system to send banking transfers into their accounts.

Bank Of America DDoS Attack

The 2012 DDoS attacks targeted Bank of America, PNC, Chase, Wells Fargo, and others and rank as the most devastating cyber attacks on financial institutions.

These assaults, which involved tens of thousands of stolen application servers pinging those institutions’ websites with bogus traffic, caused significant financial harm to their targets.

However, rather than stolen data, the damage happened in the form of lost business. These attacks aimed to prevent customers from accessing their accounts, resulting in financial losses for banks.

Equifax Credit Card Data Breach

Finally, we return to September 2017 for the infamous Equifax breach, which occurred due to hackers gaining access via an Apache Struts vulnerability.

This cyber attack on a financial institution exposed names, social security numbers, birthdates, phone numbers, and email addresses of 143 million accounts in the United States and 400,000 in the United Kingdom.

The hackers also stole over 209,000 credit card numbers. Even though the overall number of people affected by this breach is lower than some of the other examples listed here, the sensitivity of the data (and the amount) places it at the top of our ranking as the most significant financial services data breach ever. Equifax could face fines of up to $700 million due to the data breach.

Lessons Learned

cyber insurance basics

It can be challenging to adopt cybersecurity risk mitigation solutions and methods in the financial industry. Nonetheless, banks and financial institutions can take simple actions to guarantee that their systems are protected against common cybersecurity threats in the financial services industry. It includes the following:

  • Overcoming the talent shortage by collaborating with other enterprises and security partners who supply managed services.
  • Implementing ongoing security awareness training programs or evaluating existing programs to ensure they are relevant and current with the current threat scenario.
  • Investing in detection and response systems can help you stay ahead of the game and avoid an assault.
  • Conducting consumer awareness activities to ensure that clients do not reveal critical information to cybercriminals.
  • Provide security training and quiz staff regularly to determine their understanding of cybersecurity risks.

For more information on mitigating human risk in Financial Services, visit our dedicated page with resources, case studies, and further information: Security Awareness for Financial Services.