Streamline your cloud experience and maximise your cloud investment with Microsoft Azure-aligned public cloud services.
Host all of your workloads in the most appropriate location while experiencing the simplicity of one cloud from Six Degrees.
Enhance your cyber security and safeguard your organisation with our cyber security strategy and advisory, consultancy, and managed services.
Connect your business through a comprehensive connectivity portfolio delivered via our owned and operated core Next Generation Network (NGN).
Access the smarter, faster technology needed to make the most of your hybrid working future.
Streamline your hosting with comprehensive colocation services delivered from three UK data centres.
Gain clarity and control of your 5G estate, ensuring ongoing cost efficiencies are managed on your behalf through our managed service.
Gain confidence in your cloud direction and achieve accelerated time to value through our assured and optimised cloud services.
Master today’s complex threat landscape and protect your business with our intelligence-led security services.
Videos and webinars are a great way to digest the latest technology insights.
Our eBooks and whitepapers provide in-depth insights from our experts.
Our thought leaders publish regular blogs on up-to-the-minute topics.
Learn all about the latest news from Six Degrees as we continue to evolve.
We host regular in-person and virtual events for our clients.
Learn how we enable our clients to achieve more; providing superior secure solutions, powered by our passionate people.
We are proud to partner with many of the world’s leading vendors, enabling you to leverage our continual investment in difference-making technology.
Learn how CNS at Six Degrees delivers intelligence-led security services that protect organisations in today’s hostile landscape.
We are committed to operating in an environmentally and socially conscious way. Learn more about our commitments as a business.
We are proud of our secure cloud credentials. Learn why we’re one of the most highly accredited providers in the UK.
We are a friendly and passionate bunch here. Whether you want to work with us or for us, we think you’ll enjoy the Six Degrees experience.
Home » Blogs » Five Biggest Data Breaches in Financial Service History: Lessons to Be Learnt
The work-from-home era has led businesses to embrace a far more agile workplace. This will bring substantial benefits long-term. It has also introduced a wide range of new risks that every business needs to confront. But cybercrime obviously isn’t new. During 2019, 54% of companies reported one or more attacks.
The question isn’t really if your organisation will suffer an attack — it’s when. Cyber security leaders are responsible for making the necessary preparations to minimise financial, operational and reputational risk. With proper planning, it’s possible to do right by both your business and your customers.
Here, we are going to look for lessons from the past. By going over the top data breaches in financial service history, we can identify weak points and help you quantify risk and deliver a positive future.
Let’s get started.
On July 19, 2019, Capital One discovered that someone had hacked into about 106 million Capital One Capital Card customer applications and active accounts. The hacker accessed social security numbers and 80,000 linked bank accounts in the United States. Even worse, about 1 million Canadian social insurance numbers were leaked.
A Capital One tech worker gained access to the company’s servers via a misconfigured web application firewall. The tech worker, Paige Thompson, was arrested by the FBI and is awaiting trial. She faces a potential 25-year federal prison sentence.
This is another case of how people (malicious or not) are often the weakest point in your security system. However, had Capital One configured their firewall correctly, this single hacker could have been stopped from inflicting millions of dollars in damages. This highlights how basic cyber hygiene can dramatically reduce risk. Employing third-party cloud firewall services is a practical way to ensure proper maintenance if your internal resources are at capacity.
In May 2019, the website for First American Financial Corp., a major real estate title insurer, exposed approximately 885 million financial and personal records related to real estate transactions that dated back to 2003. The records were unsecured and could be read by anyone.
The data escaped through what is known as a “business logic flaw”. This is a piece of code that is part of a legitimate workflow, but can be used for malicious outcomes. The attacker is enabled to get around the programmed business rules of the application, disguising the hack as a valid web request.
Among other technical coding and design flaws, the First American Financial breach was caused by insufficient process validation. When an application fails to enforce the rules, the attack proceeds. Fundamentally, it’s critical to make sure that you have the necessary technical resources required to identify and remove these types of vulnerabilities.
Finally, we go back to September 2017 for the infamous Equifax breach. The breach exposed the names, social security numbers, birthdates, telephone numbers, and email addresses of 143 million accounts in the United States and 400,000 in the United Kingdom. The hackers also stole credit card numbers of over 209,000 customers.
Although the total number of people impacted by this breach is less than some of the other examples listed here, the sensitivity of the data (and the volumes) puts this top of our list as the biggest breach in financial services history. The breach costs Equifax up to $700 million in fines.
The hack was via a six-month-old Apache Struts vulnerability. Apache Struts is an open-sourced tool with plug-in supports. The vulnerability allowed remote coders to hack into Equifax data.
Aside from the fact that Java web applications are ripe targets for hackers, using modules with known vulnerabilities is a particularly bad idea. The lessons learnt by Equifax’s top leaders — CEO, CIO, and CSO were life-changing. They resigned in the face of the bad publicity and resulting lawsuits. Keep on top of your updates, and regularly review your system vulnerabilities.
There are no guarantees in cyber security. The fact that four-out-of-five of these incidents occurred since 2019 highlights the escalating nature of the problem. But there are steps you can take to mitigate risk.
At Six Degrees, we’ve developed a number of pillars to our cyber security strategy. We execute these in-house, and help our clients do just the same. If you want personalised support, get in touch.
An astonishing 90% of UK data breaches in 2019 were due to human error. Most of these were mistakes, not malicious attacks. But it’s critical to build systems that are easy to use and develop robust training policies. For example, keep your staff up to date on the latest phishing trends, and create redundancies in your system that prevent easy mistakes.
Fundamentally, you need to create repeatable and traceable processes which align your people and technology within mutually supportive systems. Have a viable BYOD policy, isolate vulnerabilities and have a strategy for change. The answer is never going to be one thing, it’s about analysing different risk vectors and creating a plan which takes each factor into account.
Strategic aside: Having a people policy is one thing, getting buy-in and execution is another. You need cross-departmental support, and the cultivation of a cyber-aware culture in your organisation. Getting leadership support is important.
For specifics on how to better position cyber within your business, check out our free resource — Board Presentation Toolkit: Cyber Security and Threat Management.
Risk always needs to be contextualised. Not every business can afford to accommodate the same level of risk, and simply knowing that a risk exists doesn’t tell you how much of a problem it actually is. You need to account for your specifics and place risks within a framework aligned with your business priorities and profile.
Generally speaking, financial services need to take a more risk-averse stance than most businesses. But it’s still worth asking yourself a basic set of questions about risk management.
These include:
From here, you can start to place security risks within the context of business outcomes. This is the key to understanding where your priorities should sit, and how you need to respond in order to stay secure while continuing to drive positive business results.
Finding the right skills, building a process, and procuring cutting-edge technology requires dedicated resources. Strategic partnerships with the right service providers can deliver outcomes without draining your internal resources. Check out our cyber security assessment to get a better picture of your strengths and weaknesses.
If you suffer a breach, you need to treat it as a learning experience, and we can help you with incident response and follow-up protective monitoring. It’s all about staying secure, strong, and competitive. Get in touch if you want a free consultation about your next steps.
Artificial intelligence (AI) is enhancing our lives both in and…
In this blog our Mobile Product Director Rupert Evans explores…
SIM swap cyber-attacks, when a phone number is transferred to…
It’s not just the good guys using AI – hackers…
More information on our Privacy and Cookies Policy can be found here: https://www.6dg.co.uk/privacy-cookies/. You can update how we contact you in the future by visiting our Communications Preference Centre here: https://www.6dg.co.uk/preference-centre/.
