Everything you need to know about the causes, prevention, and the legality of data breaches in financial services organizations

It is no news that complete privacy is a myth in the world we live in today. Every day 58 records per second are lost or stolen globally, that is nearly five million data records each day! Data breaches and digital privacy violations exploit vulnerable systems ever so often and who happens to be the worst stakeholders in this situation? The consumers. It is us who are getting our confidential information compromised due to a lack of awareness and efficient security systems.

Such breaches show no mercy to financial service organizations either. A study showed that financial services firms saw an increase of 389% in the number of records stolen in the first half of 2017 alone, and this number only grows with every passing year.

If you are a financial service organization and are worrying about the risky impacts of data breaches- not to worry! In this blog, we will learn all there is to about how organizations such as yours are vulnerable to breaches, what can be done to prevent them, what are the legalities behind such actions, and more!

Let’s dive in -

Table Of Contents

Where Data Privacy and The Financial Services Industry Meet

With the growing rate of industries integrating their businesses online, data breaches and information theft have become more possible than ever.

Protecting their customer’s confidential financial information must be among the top priorities for all financial services firms- your customers trust you with this data, it is, therefore, your sole responsibility to avoid any means through which critical financial information is left vulnerable to data thieves.

Before we go on to learn how to protect your data, let us understand what motivates data breachers to commit this crime.

Although money is the rather widely recorded motive, data stolen can be used to commit other crimes such as identity theft and insurance fraud as well. Sometimes these breaches target account numbers and other critical information to aid such further thefts.

Despite heavy regulations, breaches in the financial services industry have only tripled over the past five years and that is detrimental to consumers, as well as service providers.

Case Studies

1. Global Payments Inc (2012)

Global Payment Inc is a company that processes card transactions that faced a massive data breach back in 2012. 1.5 million customers were warned about the possibility of their debit and credit card numbers being compromised.

In an effort to correct the data breach, Global Payments Inc spent nearly $100 million dollars- $60 million spent in the investigation and remediation of the breach, $35.9 million spent in paying for fines and fraud losses, and a whopping $2 million in insurance recoveries.

2. JPMorgan Chase (2014)

In 2014, JPMorgan Chase, the largest U.S. bank faced a data breach that compromised the names, phone numbers, e-mails, and addresses of 7 million small businesses and 76 million households’ accounts.

Even though financial information per se wasn’t stolen, the hackers could access the bank's systems, get their hands on a list of applications and programs that the bank was using, to later try and exploit their vulnerabilities.

3. Central Bank of Bangladesh (2016)

In a destructive bank heist, Bangladesh bank was not only breached but a malware was installed in their systems so that the employees will remain unaware of the fraudulent transactions taking place until it’s too late to take any action.

4. Credit Bureau of the United States (2017)

This is considered as one of the worst data breaches of all time. By hacking into one of the largest credit bureaus in the United States, cybercriminals stole the records of nearly 147.9 million people. The amount of sensitive information compromised, including social security numbers, birth dates, addresses, driver license numbers, and more, was phenomenal.

5. FinServ Organization Taking Quick Action Upon Data Breach (2018)

When a financial services organization headquartered in Colorado, known for specializing in money transfer across the world, became aware of their data breach- they immediately moved all their records to another secure system and notified the respective law enforcement authorities.

6. First American Financial Corp. (2019)

KrebsOn Security announced in May that the website of First American Financial Corp, a title insurer, fell victim to a data breach that compromised nearly 885 million financial and personal records related to real estate deals that date way back to 2003. Since the documents were viewable devoid of authentication, they were vulnerably visible to anyone.

7. Finastra’s Ransomware Attack (2020)

Being among the world’s major core banking providers, Finastra integrated its servers back online only to suffer from a ransomware attack on the 20th of March, 2020.

8. Major Banks Of Greece Forced To Cancel Cards Upon Being Hacked (2020)

After the use of a payment card data by some of their customers in a Greek tourist services portal was hacked- Alpha Bank, Piraeus Bank, Eurobank, and National Bank of Greece were forced to cancel 15,000 cards as remediation means to tackle the impact of the breach.

9. Massive Data Breach Of Cards Belonging to Indian Banks (2020)

Group IB, a Singapore-based cybersecurity company detected a massive data breach of 1.3 billion debit and credit cards, 98% of which belonged to Indian banks.

These sensitive credentials were leaked in the dark web and put to sale with each card pegged at no less than a hundred dollars!

10. Bank of America Corporation (2020)

The Bank of America Corporation, headquartered in Charlotte, North Carolina, announced a data breach that affected the clients who had applied for the Paycheck Protection Program.  

The data compromised consisted of social security numbers, addresses, phone numbers, tax identification numbers, and more such critical information.

What Leaves A Financial Services Organization At Risk For A Data Breach?

As you must have collected from the above case studies, there are several ways a FinServ organization may remain vulnerable to data breaches. It is important for us to understand such points of vulnerabilities and take active measures to enhance our security systems, and educate our employees and customers regarding the risk of plausible data breaches. We also suggest having a well-detailed and structured emergency plan that provides you with clear instructions on what you must do if you do indeed fall prey to such cyber thefts, shifting all your records to another securely encrypted server upon intimation of a data breach could be one such measure. Remember that it is always better to be safe than sorry! In this section, we are going to learn the major causes of data breaches in financial services organizations, so that you know how to detect these red flags early on.

Here are some ways your FinServ organization could suffer from a data breach:

1. Cybercriminals

This one goes without saying. Cyber thefts comprise nearly 40% of the external threats to the financial services sector. These cybercriminals may not always aim to steal funds, but could also primarily focus on stealing critical credentials which would then open the gates of several other fraudulent activities for them, including identity theft, insurance fraud, etc.

These criminals generally sell the information they steal in the dark web pegged at a high price. There have been cases where such criminals left the funds of the customers untouched but preyed on the vulnerability of their sensitive information- such as social security numbers, addresses, phone numbers, etc.

2. Digitization of FinServ Organizations

While this itself isn’t directly a cause it can contribute to being a causative factor. In this day and age of the internet, most famous banks and other firms in the financial services sector are integrating their businesses online in order to expand their horizons and increase convenience for their customers. While the digitization of any business comprises of several pros including better reach and therefore better revenue, it sure does come with the most important con of them all- the vulnerability of data.

We aren’t stopping you from digitizing your firm, if you haven’t already, we are although warning you of how it comes with consequences that you must be ready to deal with effectively. With more and more businesses going online, information is left more sensitive than ever. Ensure that all your systems are well-encrypted and you have a firm security system in place.

3. Employees

Several kinds of research show that the biggest security threat to a FinServ organization within its own firm- is negligent employees. This is often the case for several instances of insurance fraud, money laundering, and all kinds of illegal activities regarding the transaction of funds as well.

The only way to truly warn your employees against committing careless mistakes such as leaving passwords/other sensitive information out in the open, leaving their phones that contain financial details unattended in public places, etc- is to make them aware of the impact a data breach can have on your firm.

Conduct seminars/sessions for your employees on the prevalence of data breaches in our world today and how their alarming rates means they show no mercy. Make sure they understand the extremity of the situation, it is also smart to train your employees in detecting such breaches.

4. Phishing Scams

Business Email Compromise (BEC)

We all are aware of the Nigerian Phishing Scams and how detrimental they were. Such scams through e-mail that get through to vulnerable people who are unaware of its authenticity are called Business Email Compromises (BEC).

A BEC is one of the most common scams that exploit credentials, confidential data, and trick victims into losing their money. These criminals usually gain access to the email accounts of corporates and mimic the owner’s identity to further commit fraudulent acts on the company.

5. Third-Party Partners

Today, several FinServ organizations depend on third-party businesses such as vendors/partners, etc to run their firm. These third-party partners end up becoming a threat to data security the majority of the time.

Be extra careful as to who you enter into business with, check their background, security system, etc- even if it is the smallest vendor, do make sure you are aware of the different ways your information can be compromised.

6. Fraudulent Insiders

As we saw in the point about negligent employees, it is usually the insiders who tend to pave the way for all fraudulent activities regarding funds/data. In a recent study, 60% of the FinServ responded mentioned privileged users as the biggest threat to their security, executive staff- 48% and contractors- 38%.

Privilege misuse can sound like transferring money fraudulently, identity theft using the personal information of customers, etc. Run frequent background checks and track all transaction documents carefully.

7. Outdated Equipment

There is nothing that leaves your organization more vulnerable than outdated technology. Hackers are getting smarter by the day and committing cyber crimes even with the use of the latest technology, let alone with outdated systems, and unencrypted records.

Invest in the latest equipment and fund your IT department well, make sure you constantly encrypt all your records and none of your systems are outdated or stockpiled.

8. Malware

Financial malware is said to be a treat 2.5 times more common than ransomware. Nearly 75% of the top 20 US commercial banks have fallen prey to malware in the past.

Updating your records and leaving no critical credentials unattended is the key to remain safe from such attacks. Set passwords that are not easily detectable on your systems.

9. Denial of Service Attacks

Denial of Service or DoS attacks is by far the most common form of security breaches in FinServ organizations.

In such attacks, cybercriminals flood the network or machine with traffic or send data that triggers a crash- aiming for a loss of access to services.

How Are Financial Service Organizations At Threat For Data Breaches- The Ultimate Guide 2020

Information Security And The Financial Services Industry- A Legal Overview

Due to its ever-rising vulnerability to data breaches, the financial services industry is heavily regulated with laws stipulating strict security standards. Let’s take a look at such laws around the world:

General Data Protection Regulation (GDPR)

I. Introduction

The General Data Protection Regulation aims at regulating data protection and privacy in the European Union and the European Economic Area. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.

II. Definition of Personal Data Breach by GDPR

Before we go on to understand the law- how does it define a personal data breach?

The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”

III. Principles of The Law

There are seven principles of the GDPR law, they are as follows:

  • Lawfulness, fairness, and transparency.
  • Purpose limitation.
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

IV. Compliance of The Law

The GDPR Law also states its implementation/compliance. Every GDPR implementation plan must follow these six steps:

  • Raising awareness enterprise-wide.
  • Designating a Data Protection Officer (DPO)
  • Creating a data inventory.
  • Evaluating risk and perform a gap analysis.
  • Developing a roadmap.
  • Monitoring and reporting progress and compliance.

V. Violations

Upon violations- “GDPR sets forth fines of up to 20 million Euros, or, in the case of an undertaking, up to 4% of its entire global turnover of the preceding fiscal year, whichever is higher.”

Here are the six largest violations of the GDPR Law and the fines they had to pay:

  • British Airways – 204.6 Million Euros.
  • Marriot International Hotels – 110.3 Million Euros.
  • Google Inc. – 50 Million Euros.
  • Austrian Post – 18.5 Million Euros.
  • Deutsche Wohnen SE – 14.5 Million Euros.
  • 1&1 Telecom GmbH – 9.5 Million Euros.

Other International Laws/Rules Regarding Data Privacy In The Financial Sector

Fair and Accurate Credit Transaction Act (FACTA)

I. Introduction

The Fair and Accurate Credit Transaction Act or FACTA is a federal law of the United States passed in the year 2003. Its sole purpose is to enhance customer protection particularly with regards to identity theft.

II. Provisions of The Act
  • Identity Theft Prevention and Credit History Restoration
  • Fraud Alerts
  • Transaction of debit and credit card numbers
  • Identification of Possible Identity Thefts (Red Flag Rule)
III. Red Flag Rule

Created by the Federal Trade Commission (FTC) and implemented in 2008, it calls for financial firms to implement red flags to detect and protect their organizations against identity theft.

It is important to note what these red flags are.

According to the rule, the red flags fall into five categories:
  • Alerts, notifications, or warnings from a consumer reporting agency
  • Suspicious documents
  • Suspicious identifying information
  • Unusual use of a covered account, or a suspicious activity relating to it
  • Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
This Rule has four major elements:
  • Identify relevant red flags
  • Detect red flags
  • Prevent and mitigate identity theft
  • Update programs

IV. Violation

FACTA violations can lead to:

  • Civil liabilities
  • Class actions
  • Federal or state enforcement
  • Depending on the extent of violations and the damages incurred, monetary penalties can vary.
  • Civil Penalties up to $1000 per customer for statutory damages.

Gramm-Leach-Bliley Act

I. Introduction

The Gramm-Leach-Bliley Act (GLBA) also known as the Financial Modernization Act of 1999 is a federal law of the United States that demands organizations in the financial sector to explain how they share and protect the private information of their customers.

II. Three Key Rules of GLBA

The Act comprises of three key rules/sections:

A. The Financial Privacy Rule

Regulates the collection and the method of disposal of private financial information.

B. The Safeguards Rule

Demands all organizations in the financial services industry to implement efficient security programs to protect such information.

C. Pretexting Provisions

Prohibits pretexting or the act of using false pretenses to access private information.

III. Violation

According to the Act-

  • Financial institutions found in violation face fines of $100,000 for each violation.
  • Individuals in charge found in violation face fines of $10,000 for each violation.
  • Individuals found in violation can be put in prison for up to 5 years.

What Can You Do To Protect Your Financial Services Organization From A Data Breach?

Now that we have understood information security pertaining to the financial services industry in and out, it is time we look into precautionary measures. You must have gotten an overview of the steps you as a FinServ firm must take while studying the causes of financial data breaches- what can you do to protect your financial services firm from a data breach and ensure that your customers can trust you with their sensitive credentials and records?

1. Get Educated

This is what you just did by reading this blog, you are already one step there towards safety! Getting educated on the various implications and causes of data breaches in the financial sector is the first step to securing your firm’s data.

Remain up-to-date on the legalities in your country regarding financial data security, understand the frequent amendments and draft a security culture in your organization adhering to the compliance measures stated in the laws that apply to your firm.

2. Educate

Once you have thoroughly understood what you need to do to protect your firm, educate your employees and your customers regarding the same. Insist on not falling prey to data breaches via negligence such as leaving passwords out in the open or improper disposal of documents.

Reiterate to your customers how important their credentials and records are and that they are not to reveal such information to anyone and everyone.

3. Run Background Checks

As we saw in the causes of breaches in this very blog, fraudulent insiders happen to be among the major causative factors of cyberattacks. If any employee seems to behave suspiciously/ doesn’t record their smallest transactions/leave records improperly, run frequent background checks so as to be double sure.

4. Update Your Systems

We studied how outdated systems and unencrypted records can be of great threat to your firm’s data. Keep updating your technology.

5. Have A Backup Plan Ready

In case there is a data breach, what will you do? How would you proceed? Have all of this clearly planned and kept ready at your fingertips to enforce if you do fall prey to a breach. You may choose to transfer all sensitive information onto another secure server as one of your measures.

6. Secure Disposal of Documents

Improper or negligent disposal of important documents is also one of the major causes of financial data breaches, identity thefts, and insurance fraud.

It is not enough to simply dump the documents that you no longer need. Hackers and cybercriminals can lay their hands on such confidential files and easily exploit the information in them.

Since burning the records you no longer need is not an environment-friendly option- we recommend shredding such documents.

Shredding is the safest way to dispose of documents that hold sensitive information, and we are the experts at it! Keep reading to know where we at Endoshred come in.

 

These are only some of the ways you can protect your systems from being breached. Keep in mind that your vigilance will never go to waste.

What Are The Documents That Must Be Shredded?

In the last section, we spoke about how shredding is the most secure form of disposal of critical financial documents- and how by not doing so you are putting your firm at risk for widespread breaches.

That being said, what are the documents you must shred? Worry not, for we are giving you the perfect checklist of shreddable documents!

Here are the records that should be shredded:

1. Documents pertaining to customer information

  • Account numbers
  • Loan Applications/all documentation regarding that
  • Personally Identifiable Information (PII)
  • Banking Data

2. Documents Related to Accounting and IT

  • Payroll statements
  • Records pertaining to supplier information
  • Internal reports
  • Records pertaining to customer lists

3. Documents Related to HR

  • Medical Records
  • All documents related to health and safety
  • Resumes
  • Documents related to performance appraisals
  • Payroll records
  • Records of job applications
  • Information pertaining to training and manuals

4. Documents in the Executive Level

  • Financial statements
  • Legal contracts
  • Records of budgeting
  • Strategic reports
  • Correspondence

This is a basic list of documents you must consider shredding when no longer needed.

Where Does Endoshred Come In?

We at Endoshred strive to protect your privacy. Now that we are aware of what causes data breaches in financial services organizations, how to detect it, how to prevent it, etc- how can we help you best shield your financial services firm from such breaches/cyberattacks?

As we learned in this very blog, negligent and improper document disposal is among the major causes of a financial data breach and this is where we come in. Endoshred is a pioneer in secure shredding and we primarily aim to give your records the security they deserve.

Using a shredding machine in your firm tends to not only be extremely time-consuming, but also demands a lot of energy, and patience. Moreover, the noise from the machine will cause disruption to your employers and customers. You will also need to ensure maximum security while these confidential documents are being shredded. Why go through so much when we are here to safeguard your privacy?

We provide secure paper shredding and recycling services at a location of your choice across the UAE. With the help of our fully automated mobile shredding trucks, we assure you on-site environment-friendly and convenient destructions!

Not only do we provide secure document shredding, but also hard drive destruction services and shredding of other sensitive materials such as media tapes, electronics, etc.

Financial Data Breaches can happen to anyone, but with good awareness and the right precautions- you can protect your firm from it!

Conclusion

In this blog, we learned how financial services organizations are vulnerable to data breaches.

We started off by seeing how information security and financial services meet. After we took a look at a few case studies across the years, we dived into the causative factors of such financial data breaches.

We then moved on to take a look at the legality behind financial information security before we learned the measures you as a FinServ organization can take to protect your firm from cyberattacks/data breaches.

Upon seeing the importance of shredding to protect the security of financial services firms, we saw where Endoshred comes in.

We hope you like this blog and learned what you came for from this.

Let us know what you are doing to protect your firm from data breaches!

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vestibulum aliquet porta aliquet. Pellentesque commodo, tellus id congue gravida, nisl ligula consectetur urna, in tincidunt nisi enim quis augue. Aenean ac lectus sit amet enim maximus viverra vel sed odio. Ut malesuada malesuada risus quis dignissim. Aenean ut mollis augue. In vitae est quis elit tincidunt convallis tempor sit amet lacus. Integer venenatis fermentum dui quis aliquam. Pellentesque non massa pellentesque, cursus dui auctor, laoreet lectus. Phasellus eleifend dui blandit libero faucibus tincidunt. Donec nulla eros, luctus a diam in, placerat tempus lacus. Proin vitae erat eu arcu vehicula rhoncus. Vivamus faucibus mauris a augue molestie feugiat. Maecenas at libero in turpis malesuada iaculis sed sed magna. Suspendisse sollicitudin ultrices malesuada. Curabitur id ante id sapien pretium faucibus. Nunc quis neque vulputate, placerat lorem nec, blandit purus. Fusce finibus risus mi, non lacinia odio elementum at. Donec mollis tortor ac urna iaculis mollis. Fusce pulvinar diam sed magna pellentesque, in lobortis nisi.
I believe technology is essential for us to discover and develop more projects, and at the same time reduce cost and lower carbon emissions
Bring to the table win-win survival strategies to ensure proactive domination. At the end of the day, going forward, a new normal that has evolved from generation X is on the runway heading towards a streamlined cloud solution. User generated content in real-time will have multiple touchpoints for offshoring. Capitalize on low hanging fruit to identify a ballpark value added activity to beta test. Override the digital divide with additional clickthroughs from DevOps. Nanotechnology immersion along the information highway will close the loop on focusing solely on the bottom line.