According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. Both the New York Department of Financial Services under 23 NYCRR 500, as well as the FTC require Financial Institutions to submit notifications of data breaches or other security events that impact 500+ customers.
A group of 4 hackers exploited a vulnerability in the network of RBS Worldpay, a subsidiary of Royal Bank of Scotland. Once inside the network, the hackers accesed account numbes and PINs of payroll debit cards that the company customers give to their employees in lieu of paychecks. After this information was taken, ATMs across the world were hit resulting in over $9 million stolen from the company.
Bank of America Corp. lost computer data tapes containing personal information of an estimated 1.2 million federal employees. The lost tape contained Social Security numbers and other account information that could leave members of the federal government vulnerable to identity theft.
An "unauthorized individual" infiltrated the computer network of a third-party payment processor and may have stolen up to 40 million credit card numbers. "While intruders who raided the processor's system had access to 40 million accounts, it's not clear how many account numbers were actually stolen"
Automatic Data Processing, one of the world's largest payroll service companies, at the time, was victim to a scamming hack that compromised accounts at a nunber of brokerages including Fidelity, Morgan Stanley, Citigroup, and Merrill Lynch. A spokesperson for the company stated that the data thief "exploited a SEC rule that allows public companies to get names and addresses of shareholders from brokers, as long as the shareholder has not objected to the disclosure of such information." Thus the company stated that the thief impersonated a corporate officer from a public company and got ADP to send the information
On September 14, 2007, online brokerage firm TD Ameritrade revealed that its database was the target of a data breach that led to the theft of 6.3 million customer account records. The attackers gained access to Ameritrade’s database via investment-themed phishing emails.
On December 25 and 26, 2007, a Latvian Hacker group breached the brokerage's database. The intruders obtained data on about 192,000 customers, according to the press release announcing the fine. (Previous reports indicated that more than 300,000 customer files were stolen). The data included customer account numbers, Social Security numbers, names, addresses, dates of birth and other private information.
In October 2008, Heartland Payment Systems, a Fortune 1000 company, was notified by Visa and Mastercard about suspicious transactions from accounts the company processed. A SQL Injection attack in 2007 compromised computers used to process payments. The attack enabled theattackers to access a web login page, and found enough data to create new physical credit cards. The total monetary loss to the company was over $200 million
An archive vendor lost six back-up tapes during transport to a storage facility. More than 742,000 Florida residents may have had their personal data disclosed as a result, out of a total of 12.5 million consumers nationwide whose data was involved in the breach. "Those back-up tapes contained personally identifiable information for approximately 12.5 million shareholders. Because the back-up tapes contained data that had been used for different purposes and stored in different file types, the timing of notification to individuals varied."
A vulnerability in the portfolio information system for broker-dealer subsidiaries of Lincoln National Corp. potentially exposed the records of 1,200,000 people; 18,900 were New Hampshire residents. ""This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies," the letter says. "The sharing of usernames and passwords is not permitted under the LNC security policy."
A Russian national was jailed for three years for stealing and laundering more than $246,000 through Charles Schwab brokerage accounts in 2006. The hacker accessed the accounts through a keylogging Trojan, which captured the information of 180 credit cards. The hacker and his accomplices sent a portion of the proceeds back to co-conspirators in Russia, according to the FBI. A couple months later another member of the gang was hit with an 18-month sentence. Alexander Bobnev, a gang leader from Volgograd, Russia, is at large, feds say
"Nasdaq OMX Group said on Saturday that it found "suspicious files" on its U.S. computer servers, but said there was no evidence hackers had accessed or acquired customer information or that its trading platforms were compromised." The suspicious files were found in a Web application called Directors Desk. The FBI and outside forensic companies helped conduct an investigation, which is continuing with the help of securities regulators.
Hackers infiltrated Citigroups' company systems by exploiting a 'garden variety' security hole in the company's website for credit card users. The hackers stole the personal information of over 200,000 customers. "The New York Times reported that the technique allowed the hackers to leapfrog from account to account on the Citi website by changing the numbers in the URLs that appeared after customers had entered valid usernames and passwords."
In 2012, US financial institutions were targeted by DDoS attacks from an Iranian group called Izz ad-Din al-Qassan yber Fighters. It was later learned that several iranian individuals linked to the Islamic Revolutionary Guard Corps were implicated and later indicted by the US Department of Justice. Victims included Bank of America, Citigroup, PNC, Wells Fargo, Capital One, and HSBC among others
Several financial exchange operators includign NASDAQ were hit by DDoS attacks resulting in poor access to the company website for days. With that in mind, there were no disruptions to trading. Anonymous claimed resposibility for the incident stating it occurred out of sympathy for the Occupy Wall Street protests
MasterCard, Visa, American Express, and Discover accounts were compromised after a third-party service provider, Global Payments discovered its system was compromised by an unauthorized access. Experts noted that because "Global Payments is a relatively smaller player in the transactions services industry, servicing 800,000 merchants with a 3.5 percent market share" the breach was more localized than initially thought.
In a communication to certain customers today, CME Group confirmed it was the victim of a cyber intrusion in July, making it one of the many organizations subject to this type of crime in recent months.The incident is the subject of an ongoing federal criminal investigation and CME Group is cooperating with law enforcement in its investigation into this matter.
A threat actor claiming to be a representative for one of Experian's clients convinced a staff member of the Experian South African office to relinquish sensitive internal data. The data impacted included phone numbers, email addresses, residential addresses, and job titles. Over 24 million customers and 800,000 businesses were impacted.
The IRS said Friday that the number of taxpayers whose tax information may have been stolen by computer hackers now exceeds 700,000 - more than double the agency's previous estimate. The thieves accessed a system called "Get Transcript," where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer.
The Federal Reserve detected more than 50 cyber breaches between 2011 and 2015, with several incidents described internally as “espionage”, according to Fed records. The US central bank’s staff suspected hackers or spies in many of the incidents, the records show. The Fed’s computer systems play a critical role in global banking and hold confidential information on discussions about monetary policy that drives financial markets. The cybersecurity reports, obtained by Reuters through a Freedom of Information Act request, were heavily redacted by Fed officials to keep secret the central bank’s security procedures.
On October 14, FireEye reported that FIN11, a financial cybercrime group active since 2016, has recently switched to ransomware as its primary mode of attack. FIN11 has been conducting attacks around the world since 2016. FIN11 campaigns initially focused on entering networks to steal data, with researchers noting that the hacking group commonly deployed BlueSteal, a tool used to steal banking information from Point-of-Sale (POS) terminals.
On March 1, 2017, the Department of Financial Services enacted a regulation establishing cybersecurity requirements for financial services companies, 23 NYCRR Part 500 (referred to below as “Part 500” or “the Cybersecurity Regulation”).
HSBC became aware of online accounts being accessed by unauthorized users between October 4, 2018 and October14, 2018. The information that may have been accessed included full names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account types, account balances, transaction history, and statement history
A Former AWS software engineer illegally accessed one of AWS' servers storing Capital One's data and stole over 100 million credit card applications. The information included SSNs, bank account numbers, as well as Canadian Social Insurance numbers. Over 100 million people in the US were impacted
More than 885 million financial and personal records linked to real estate transactions were exposed through a 'common website design error.' The data compromised included names, email addresses, and phone numbers of closing agents and buyers. The NYDFS, in a $1 million settlement found that the company failed to maintain effective governance and clasification, proper access controls, and risk assessment policies.
Part 500 was amended for the first time in April 2020 to change the date of the required annual certification filing from February 15 of each year to April 15.
Accellion, a vendor that Flagstar uses for its file sharing platform, informed Flagstar on January 22, 2021, that the platform had a vulnerability that was exploited by an unauthorized party. After Accellion informed us of the incident, Flagstar permanently discontinued use of this file sharing platform. After the Ransomware group stole the data, Flagstar received a ransom note demanding bitcoin payment or else the data would be released
"The New York State Department of Financial Services (DFS) announced today that Residential Mortgage Services, Inc. (“RMS”) will pay a $1.5 million penalty to New York State for violations of the Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations. . . A July 2020 examination uncovered evidence that RMS had been the subject of a cyber breach in 2019 which had not been reported to DFS, in violation of Part 500.17 of the Cybersecurity Regulation. The breach involved unauthorized access to the email account of an RMS employee with access to a significant amount of sensitive personal data of mortgage loan applicants. Until prompted to do so by DFS in 2020, RMS failed to conduct an investigation and identify the consumer data exposed. The findings of the exam concluded RMS violated the DFS Cybersecurity Regulation in failing to timely report the breach, and that RMS failed to have a comprehensive Cybersecurity Risk Assessment, another requirement of the Cybersecurity Regulation."
"National Securities, a licensed insurance company, collects private data in the course of its day-to-day operations, selling life insurance, accident and health insurance, and variable life/variable annuities insurance. The Department’s investigation uncovered evidence that National Securities had been the subject of four cyber breaches between 2018 and 2020, two of which had not been reported to the Department as mandated by the Cybersecurity Regulation."
On October 28, 2021, researchers from Positive Technologies discovered vulnerabilities in the Wincor Cineo ATMs, owned by Diebold Nixdorf, an American multinational financial and retail technology company. With access to the dispenser controller's USB port, outdated or modified firmware could be installed to bypass the encryption and make cash ATM withdrawals. "Tracked as CVE-2018-9099 and CVE-2018-9100, the flaws were identified in the CMD-V5 and RM3/CRS dispensers"
Between late 2021 and early 2022, a Block employee sureptitiously downloaded reports detailing customer information without permission. It’s estimated that about 8.2 million current and former customers were included in the report. The compromised data included names, brokerage account numbers, and other sensitive information related to stock trading
Bitmart, a crypto trading platform, experienced a major security breach, resulting in hackers withdrawing almost $150 million in assets. The security breach was mainly caused by a stolen private key, which affected two of its ethereum and binance smart chain hot wallets. The CEO says they were able to steal a private key that opened multiple wallets enabling access to a large number of crypto
Flagstar Bank, one of the largest financial institutions in the US was victim to a data breach of almost 1.5 million customers. Banking information, and personally identifiable information including social security numbers were leaked.
The New York Department of Financial Services "found critical failures in RHC’s cybersecurity program. The program did not fully address RHC’s operational risks, and specific policies within the program were not in full compliance with several provisions of the Department’s Cybersecurity and Virtual Currency Regulations."
In October, 2022, U.S. Bank discovered that one of its vendors shared the personal information of its customers with unauthorized third parties. U.S. Bank began notifying impacted people in October 2022, confirming that unauthorized third parties obtained access to U.S. Bank’s personal information including their names, addresses, social security numbers, dates of birth, closed account numbers, and outstanding balances with U.S. Bank. The individuals impacted by this are U.S. Bank’s current and former customers with a closed U.S. Bank Credit Card account. Your information was shared by a collections company U.S. Bank employs as a vendor.
"Superintendent of Financial Services Adrienne A. Harris announced today that EyeMed Vision Care LLC (“EyeMed”) will pay a $4.5 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ sensitive, non-public, personal health data, including data concerning minors."
"Superintendent of Financial Services Adrienne A. Harris announced today that Coinbase, Inc. (“Coinbase”) will pay a $50 million penalty to New York State for significant failures in its compliance program that violated the New York Banking Law and the New York State Department of Financial Services’ (DFS) virtual currency, money transmitter, transaction monitoring, and cybersecurity regulations. These failures made the Coinbase platform vulnerable to serious criminal conduct, including, among other things, examples of fraud, possible money laundering, suspected child sexual abuse material-related activity, and potential narcotics trafficking. In addition to the penalty, Coinbase has agreed to invest an additional $50 million in its compliance function over the next two years to remediate the issues and to enhance its compliance program pursuant to a plan approved by DFS."
A security weakness in NBC Management Services, a partner firm of Captial One, and Bank of America was exploited leading to the exposure of sensitive financial data of over 16,000 customer
"In May 2023, a ransomware gang called Clop began abusing a zero-day exploit of Progress Software’s MOVEit Transfer enterprise file transfer tool. Progress quickly issued a patch, but the damage was already extensive. Clop’s widespread attack saw it steal data from government, public, and business organizations worldwide, including New York City’s public school system, a UK-based HR solutions and payroll company with clients like British Airways and BBC, and others." Over 2,000 organizations have reported being attacked, with data thefts affecting more than 62 million people.
"OneMain Financial Group LLC (“OneMain”) will pay a $4.25 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500). OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events."
On November 1, 2023, DFS announced amendments to Cybersecurity Regulation, 23 NYCRR Part 500.
A bug dubbed Citrix Bleed — led to disruptions at 60 credit unions. In late 2023, a cybersecurity firm, Ongoing Operations, stated that there is "no evidence of any misuse of information," although it is "reviewing the impacted data to determine exactly what information was impacted and to whom that information belonged."
Genesis Global Trading agreed to settle with the NYDFS and surrender its ability to conduct operations in the state. “Genesis Global Trading’s failure to maintain a functional compliance program demonstrated a disregard for the Department’s regulatory requirements and exposed the company and its customers to potential threats,” said NYDFS Superintendent Adrienne Harris.
A data breach at Infosys McCamish, a financial software provider, compromised the name, address, date of birth, Social Security number, and other account information of 57,028 deferred compensation customers whose accounts were serviced by Bank of America.
In 2024, Q Financial learned one of its third party vendor's sofrware contained a vulnerability that enabled hackers to access personally identifiable information such as Social Security Numbers. It is believed that ConnectWise, the vendor's, product, ScreenConnect contained a data vulnerability that was exploited by an outside attack.
The amended regulation’s new compliance requirements will take effect in phases. Unless otherwise specified, covered entities have 180 days from date of adoption to come into compliance, or until April 29, 2024.
We'd love to hear from you. Please send questions or feedback to the below email addresses.
Before contacting us, you may wish to visit our FAQs page which has lots of useful info on Tiki-Toki.
We can be contacted by email at: hello@tiki-toki.com.
You can also follow us on twitter at twitter.com/tiki_toki.
If you are having any problems with Tiki-Toki, please contact us as at: help@tiki-toki.com
Close