11 Security Incidents that Illustrate the Digital Threats Facing Financial Firms
Given their line of work, it’s no wonder that financial organizations are a preferred target among digital criminals. Boston Consulting Group observes as much in a report finding that financial organizations suffer digital attacks 300 times more than companies in other industries. Undoubtedly, factors like collaboration between threat groups, as uncovered by IBM X-Force, motivate bad actors to stage so many attack attempts and improve their success rates.
Many security incidents involving financial organizations go on to make headlines. Below, I’ll examine 11 of these events so that we can begin to understand the evolving digital threats confronting financial organizations today.
FS-ISAC Suffers Phishing Attack
As reported by Brian Krebs, the Financial Services Information Sharing and Analysis Center (FS-ISAC) announced on March 1, 2018 that one of its employees had clicked on a phishing email. Doing so enabled bad actors to compromise the employee’s account and abuse it to send out additional phishing attacks against members of industry forum. That being said, these follow-up attacks had limited effect; Krebs learned that many FS-ISAC members quickly detected the secondary attack emails and reported them as malicious.
Iranians Charged with Targeting Banks, Other U.S. Organizations
At the end of March 2018, the U.S. Attorney’s Office for the Southern District of New York announced the arrest of nine Iranians charged with targeting committing data theft on behalf of the Islamic Revolutionary Guard Corps, an entity inside Iran’s government. In addition to targeting American universities and government agencies, the accused entities received charges for compromising employees’ email accounts at two banking and/or investment firms as well as 34 other U.S. private companies and an additional 11 private organizations located in Europe.
Two of Canada’s Largest Banks Contacted by Fraudsters
Digital fraudsters reached out to the Bank of Montreal on May 27, 2018 and informed the financial institution that they possessed the personal and financial information of a limited number of customers. That same day, bad actors told Simplii Financial that they had electronically accessed 40,000 customers’ personal and account information. Both Canadian banks responded by taking steps to enhance the security of their online systems and to proactively notify customers whose information the wrongdoers might have stolen.
Virginia Bank Breached Twice in Eight Months
In June 2018, the National Bank of Blacksburg filed a lawsuit against the Everest National Insurance Company after the latter party refused to fully cover the losses stemming from two digital security incidents. The first incident occurred over Memorial Day weekend in 2016; for that attack, bad actors used hundreds of ATMs across North America to dispense $569,000 from customers accounts. Despite implementing some security measures, the bank suffered a second attack in 2017 in which digital fraudsters used the bank’s Navigator system to credit over $2 million to multiple National Bank accounts.
HSBC Reveals U.S. Data Breach
In a sample “Notice of Data Breach” letter received by the California Attorney General’s Office, HSBC learned that unauthorized users had accessed customers’ online accounts between October 4, 2018 and October 14, 2018. These malefactors might have exposed customers’ personal and financial information including their names, dates of birth, account balances and statement histories in the process. After detecting the incident, HSBC suspended online access to affected customers’ accounts, enhanced its online authentication measures and offered affected users a complimentary one-year subscription to Identity Guard.
Olympia Financial Group, Inc. Discloses Ransomware Attack
In early February 2019, Olympia Financial Group, Inc. (“Olympia”) announced that it had fallen victim to a ransomware attack. The offending crypto-malware leveraged this initial infection to encrypt data stored on the Group’s network. Upon detecting the attack, Olympia took several measures to prevent the malicious software from spreading further on the network. It also launched an investigation into the matter and found no evidence that the ransomware had compromised any customers’ personal information.
Credit Unions’ Anti-Money Laundering Officials Targeted by Attackers
Just a few days after Olympia came out with its announcement, Brian Krebs reported that Bank Secrecy Act (BSA) officers working at credit unions had received emails that appeared to come from BSA officers at other credit unions. Those emails addressed recipients by name and informed them that a transaction from one of their credit union’s customers had been flagged for suspicion of money laundering. They then told recipients to open a PDF attachment that linked to a malicious site.
Cracker Toolkit for Bank of America Sold on Dark Web
According to Bloomberg, University of Surrey criminology professor Michael McGuire led a research team into the recesses of the dark web. There, the researchers discovered multiple tools for sale that allowed digital attackers to crack into the systems of well-known businesses such as the Bank of America and then steal login credentials. While conducting their research, the team also uncovered what appeared to be a list of Qatar National Bank customers’ passwords and PINs for sale on an underground marketplace.
Capital One Reports Data Breach
In mid-July 2019, Capital One released a statement in which it revealed that an external actor had gained access to the personal information of its credit card owners as well as individuals who had applied for a credit card through the entity. That data included names, email addresses, dates of birth and in some cases Social Security Numbers. Capital One responded by fixing the issue that enabled this access on its end and working with law enforcement. Through this investigation, the financial institution learned that the security incident had affected 100 million individuals in the United States and six million in Canada.
Silence Group Targets Banks Around the World
Group-IB released a report over the summer of 2019 that explored the tactics, techniques and procedures (TTPs) of the Silence threat group. The publication mainly covered the reconnaissance and phishing campaigns conducted by the group against Russian banks between May 28, 2018, and August 1, 2019. In the process of its analysis, Group-IB learned that Silence had abused a lack of Sender Policy Framework (SPF) settings to impersonate other institutions as well as had sent emails which appeared to originate from another bank.
Phillip Capital Inc Fined for Letting Criminals Hack Customer Account
In mid-September 2019, the U.S. Commodities Futures Trading Commission ordered futures brokerage firm Phillip Capital Inc to pay $1.5 million for failing to safeguard a customer’s digital security. The lapse occurred back in February 2018 when PCI’s information technology engineer received an email from a financial security company account that bad actors had previously compromised, reported Reuters. The engineer responded to the email by sending over login credentials for the affected customer without knowing that they had given them to attackers.
How Financial Firms Can Protect Themselves
The instances described above highlight several types of threats financial organizations must contend with in today’s world. To defend themselves against these and other attacks, financial firms should strengthen their email security posture by investing in an email security solution capable of analyzing incoming messages for new campaign patterns, phishing, spoofed senders, malicious URLs or attachments, and other indicators. This analysis should occur in real time while allowing legitimate correspondence to make its way through.