Bitglass performed an analysis of all breaches in the financial services sector since 2006, with data aggregated from public databases and government mandated disclosures. They found that leaks nearly doubled between 2014 and 2015, a growth trend on track to continue in 2016.
The nation’s largest banks have all suffered leaks at some point in the recent past. In the first half of 2016 alone, five of the nation’s top 20 banks disclosed breaches.
What caused the data leaks?
The report also explores the most common causes of data leaks in the sector. Led by lost and stolen devices at 25.3 percent of breach events, financial services organizations appear to struggle with data protection on managed and unmanaged devices.
“Device encryption on notebooks, management on mobile devices (with wipe option) are not rocket science anymore. Applying transparent encryption for data leaving corporate premises to the cloud is still unique and rare but the technology exists. Based on these facts it is surprising how strong this threat vector is. The risk that lost corporate devices pose, could be mitigated by security awareness training and engagement by users can at least as much as the technical solutions,” Zoltán Györkő, CEO at Balabit, told Help Net Security.
The insider problem
While hacking accounted for a disproportionate number of individuals affected by financial services breaches, only one in five leaks were caused by hacking. Other breaches were the result of unintended disclosures, malicious insiders, and lost paper records.
“In effect, an external attacker quickly becomes an insider mounting an attack. Most external attackers will gain control of an insider’s computing device or user account. At this point, the attacker is essentially an insider. The key is to detect the next major phase in the attack process, which is reconnaissance and lateral movement. This phase occurs over weeks and even months and involves many steps,” said Gonen Fink, CEO at LightCyber.
“A large SOC may uncover some of these steps, but often faces the difficulty of not having an integrated detection environment. Specialization among the SOC team adds to this fragmentation, when some are experts in endpoints, others in file activity and still others are focused on various security devices. Finding the signs of an attacker at work while not drowning in a flood of security alerts requires that multiple detections can be understood together and seen as pieces of an orchestrated attack. This is a forest for the trees kind of issue, and it is one weakness faced by large SOCs,” concluded Fink.
One in four breaches in the financial services sector over the last several years were due to lost or stolen devices, one in five were the result of hacking. Fourteen percent of leaks can be attributed to unintended disclosures and 13 percent to malicious insiders.
“Not only malicious insiders, but hijacked user accounts also pose a high risk. The most costly cyber attacks, targeted attacks or APTs always involve a misused privileged user account. We believe that passwords are dead and behavior is the new authentication. Companies shall apply continuous monitoring and real-time behavior analytics on user activities to identify the anomalies. When extended with biometrics capabilities, such as keystroke dynamics or mouse movement characteristics, UBA tools can provide continuos authentication,” said Györkő.
Financial institutions under attack
Five of the nation’s 20 largest banks have already suffered data breaches in the first half of 2016.
In 2015, 87 breaches were reported in the financial services sector, up from 45 in 2014. In the first half of 2016, 37 banks have already disclosed breaches.
Over 60 organizations suffered recurring breaches in the last decade, including most major banks.
JP Morgan Chase, the nation’s largest bank, has suffered recurring breaches since 2007. The largest breach event, the result of a cyberattack, was widely publicized in 2014 and affected an estimated 76 million U.S. households. Other breaches at JPMorgan were due to lost devices, unintended disclosures, and payment card fraud.
Of the three major credit bureaus, the 2015 Experian leak was the largest, affecting 15 million individuals. Equifax has also disclosed several recent breaches, including unauthorized accesses earlier this year that affected hundreds of thousands of individuals.