The history of financial sector cybersecurity (and how it's influencing the 2024 landscape) remains top of mind for those in the industry.
With financial institutions being ranked as one of the primary targets for cyberattacks around the globe, particularly with the advent of the digitalization of financial services, the investment in quality cybersecurity has never been more of a priority.
In today’s blog, our ethical hackers cover the top financial sector cybersecurity statistics (and events) you need to know. Let’s jump right in:
In recent years, there has been a sharp uptick in the both frequency and the sophistication of cyberattacks on the financial industry.
This has been reflected by the following findings:
Financial institutions ranked as the second most-impacted sector by cybercrime based on reported data breaches from the past three years (with healthcare being the #1 most-impacted)
Institutions in Argentina, Brazil, and China were the most impacted countries
As of December 2022, finance and insurance organizations around the globe experienced 566 total breaches (leading to over 254 million leaked records
(This is double the 34% reported in 2021)
Only 1 in 10 attacks were halted before encryption took place
81% of organizations were victims of data encryption
Ransomware attacks on the financial sector have skyrocketed from 55% in 2022 to 64% in 2023
Speaking of ransomware, recent reports have seen the financial industry be particularly hard-hit by the attack vector. This includes:
2023 being the highest-ever rate of ransomware attacks in the finance industry
Only 14% of finance companies reporting being able to halt before they were locked out of accessing their own data
In 25% of ransomware attacks, the threat actors stole data in addition to encrypting it
These findings indicate that human error remains a leading root cause of many attacks, suggesting there are opportunities to eliminate common vulnerabilities with in-depth internal training and robust risk management plans.
Cybersecurity risks to the financial system have grown in recent years, in part because the cyber threat landscape is developing at a breakneck pace; this is particularly reflected by a steady increase in state-sponsored cyberattacks targeting financial institutions.
By examining historical cyberattacks, professionals can glean insight into emerging trends (and how to counteract them.) Below is an overview of some of the world's top financial sector cybercrime divided by year. For a full breakdown of the recent history of financial sector cybersecurity, including over 200 instances of global cybercrime, visit the FinCyber Project.
Estonia became victim to a series of coordinated DDoS attacks against governments, banks, universities, and newspapers that lasted three weeks following the relocation of a statue from the Soviet era that sparked outrage. For the financial aspect of the attacks, the magnitude of them forcibly suspended online banking and, subsequently, bank card transactions and ATM usage. Individual Russian threat actors, who were communicating openly about the attacks on Russian-language chatrooms, claimed ownership of the attacks
In the September of 2007, online brokerage TD Ameritrade made an announcement that its database was the target of a successful ransomware attack that resulted in the theft of 6.3 million customer records. It was achieved via investment-oriented phishing emails to TD Ameritrade staff. Although both FBI and US financial federal regulators did investigate the breach, no arrests were reported; TD Ameritrade did pay out a collective $6.5 million to impacted customers in order to settle a class action lawsuit related to the attack, however
The confidential information of over 192,000 customers was stolen from the financial services holding company DA Davidson in the wake of a successful SQL injection over the Christmas holiday. Threat actors attempted to ransom the firm in the wake of the attack; however, the U.S Secret Service found via an investigation that four Latvian nationals had launched the attack and were subsequently charged. DA Davidson was issued a Financial Industry Regulatory Authority fine of $375,000 for failing to protect customer info
In an attempt to cover up a staggering $7.2 billion in losses from risk-based trades, a junior trader at the French Bank Société Générale executed a series of fraudulent transactions. This was accomplished by booking falsified trades on coworkers' accounts and utilizing pre-existing knowledge to circumvent the organization's internal risk controls. Although the employee was arrested and sentenced to three years in prison, Société Générale suffered what was hailed "one of the biggest trading losses on record" due to this incident, and was levied a $6 million penalty by the French banking regulator
Early on in 2008, a Russian hacking ring penetrated a network of Citibank ATMs across New York City and subsequently stole over $2 million. This was made possible by gaining access to a server that processed said ATM withdrawals within 7-Eleven stores within the city. Investigators later linked this theft to a global network of threat actors who had stolen mass card information as early as 2005
A clerk who worked at HSBC's London headquarters fraudulently wired himself €90 million by using passwords he had stolen from coworkers. He was caught and subsequently sentenced to nine years in prison, with the money being swiftly returned to the original owners
In the weeks before Russia invaded Georgia, Georgia was the victim of a coordinated DDoS campaign that successfully targeted both government and bank websites. The first wave of DDoS attacks was accomplished using a strain of Pinch malware frequently used in Russia, which flooded websites with traffic that included the phrase “win love in Russia.” Although a group of threat actors by the name of South Ossetia Hack Crew claimed responsibility for the attacks, George would attribute the attacks to the Russia government, which denied the allegations
Six banks across the UAE sent an alert customers to urgently change their PINs after a wake of ATM fraud in the region. HSBC, one of the affected banks, said the move was in response to counterfeit abroad ATM card usage
The Atlanta-based credit card processing company RBS WorldPay was breached by an international crime ring, falling victim to sophisticated hacking techniques that broke the company's customer data encryption. Once the encryption had been breached, the crime ring formed falsified payroll debit cards, raised their account limits, and employed a series of individuals to use the cards to withdraw over $9 million total. Afterwards, the investigation identified over 1.5 million customers whose confidential information was compromised, ad the crime was linked to threat actors across Russia, Moldova, Nigeria, and Estonia
Skimer, an advanced malware with multiple functions, was found employed in several ATM cyberattacks around the globe. Since the malware is capable of executing over 20 malicious commands, including, but not limited to, withdrawing ATM funds and stealing banking information, it is still at play in the 2024 financial sector cybersecurity landscape (and remains a significant threat)
A Trojan malware commonly known as "Zeus" played a critical role in a variety of cybercrime to successfully steal data from Windows devices. Zeus's source code was made public in 2011 after its reported creator announced his retirement, which allowed multiple versions to spread. The multifunctional Trojan included a keylogger that recorded bank login credentials alongside a botnet that executed attacks using infected devices
Between June and July of this year, threat actors targeted customers of Vodacom with phishing attacks in order to execute fradulent bank transactions. The hackers stole bank account details by imitating bank officials, a well as by utilizing one employee, who intercepted one-time passwords on falsified SIM cards in order to facilitate the cash flow
Financial institutions across both the United States and South Korea were among several targets of a widespread DDoS attack that comprised three waves of attacks over a six day period: a botnet of up to 65,000 compromised computers blocked and slowed government and commercial websites in both countries for several hours at a time, resulting in the New York Stock Exchange, Nasdaq, the White House, and the Washington Post being impacted. Several days later in South Korea, the sites of Shinhan Bank, the newspaper Chosun Ilbo, and the National Assembly were impacted, resulting in thirty-five targeted sites total. The malware spread through email with a "time bomb" embedded in its code, which overwrote the victim’s hard drive with the string “Memory of the Independence Day.” This overwrite destroyed the master boot record and made then impacted devices unusable
In early 2010, a threat actor leaked financial details of banks, tax records, and state-owned firms to a Latvian TV station to "increase awareness of lucrative public sector salaries during a period of austerity in Latvia." Ilmars Poikans, an IT researcher who used the alias Neo for the attack, was arrested for the breach and sentenced in 2015 to community service for unlawfully accessing over 7.5 million tax records. He was pardoned in December 2017
The National City Bank identified a series of former debit accounts that had been compromised; the breach was only discovered after PNC Financial Services acquired the bank in 2008, which, in turn, underlined how critical the assessment of existing cybersecurity measures during mergers and acquisitions is
A Bank of America employee was charged with computer fraud after he covertly installed malware on over 100 ATMs to steal $304,000, in an early example of ATM “jackpotting.” The man was jailed for 27 months after admitting to writing code that ordered the ATMs to issue cash without a record of said transactions
In New York, a Russian national was jailed for three years for laundering over $246,000 through Charles Schwab brokerage accounts in 2006. The threat actor accessed the accounts through a keylogging Trojan, which successfully captured the information of 180 credit cards
In mid-2010, over $200,000 in fraudulent transactions took place across New York City and Washington, DC. These transactions were traced back to compromised accounts and withdrawals in Pittsburg, where two Romanian threat actors were subsequently sentenced to prison for bank fraud, access device fraud, and identity theft. This marked one of the first uses of ATM skimming in the U.S
At the start of 2011, a cyber surveillance virus, "Gauss", was utilized in order to steal insider info from various banks across Lebanon; in a similarity to both Flame and Stuxnet malware, Gauss enabled hackers to steal passwords, browser cookies, and banking credentials; the majority of the over 2,500 infections were found on personal computers. News outlets speculated that Gauss was formulated by the U.S. and Israeli governments in an attempt to go around Lebanon’s strict banking secrecy laws, which have made it difficult for global authorities to access information of suspected wrongdoing
South Korea was the target of a widespread DDoS attack, almost two years after a similar campaign in 2009. Institutions included, but were not limited to, Hanabank, Jeilbank, and Wooribank, alongside both government websites and the network of U.S. Forces Korea
In June 2011, bank and retail payment processor Global Payments was hit by a major data breach wherein the information from 1.5 million cards from a handful of servers, with enough information to counterfeit the cards, was stolen. The incident swiftly prompted both Mastercard and Visa to warn card-issuing banks about the potential fraud, although the investigation remains open
150 fraudulent sites advertising fake investment opportunities to solicit funds were created to glean confidential information from individuals; victims of this scam spoke with threat actors posing as brokers who were claiming to be employed by banking institutions that they had spoofed on the fraudulent websites
Threat actors successfully targeted Postbank, a division of the South African Post Office, and infiltrated the organization's IT system to siphon off cash into dummy accounts; this resulted in a staggering R42 million from accounts being stolen
Boleto Bancario, a payments system used for nearly 50% of non-cash transactions across Brazil, was the target of malware that hijacked the victims' browsers and rerouted payments to threat actor-controlled accounts. This malware compromised $3.75 billion in payments within two years, leveraging numerous versions including Eupuds, Boleteiro, and Domingo, according to cyber researchers at RSA
In September, a hacktivist group named "the Cyber Fighters of Izz ad-Din al-Qassam" launched a series of powerful DDoS attacks against multiple U.S. financial institutions that sent over 100 gigabits per second of data to targeted sites. Naming the campaign Operation Ababil, the group justified their attacks as retribution for an anti-Islam video released by the U.S. pastor Terry Jones
On Christmas Eve, Bank of the West was the target of a successful DDoS attack that threat actors used to conceal over $900,000 in fraudulent transfers out of accounts belonging to a Californian construction firm. The perpetrators made fraudulent transfers before they knocked the bank’s website offline, during which time a web of over than 60 hackers were used to move the funds into criminal accounts
The Shinhan, Nonghyup, and Jeju banks in South Korea became the targets of a Trojan that deleted data and disrupted ATMs, online banking, and mobile payments. Trojan.Jokra was used to wipe disks and, after over six months of attacks, South Korean politicians said this wave of cyberattacks cost the country almost $650 million in economic damages
The CME Group, which commandeers the globe's most robust futures exchange, announced in November that its ClearPort clearing service had been compromised the previous summer. The firm stated that some customer information was compromised; however, trading was reportedly not impacted
The malware Ploutus was built to be installed directly on ATMs across both Mexico and the United States in order to give a threat actor privileged rights, including the ability to dispense cash on demand via SMS or via a keyboard attached to the ATM itself. The malware has since been altered several times to enable its usage across newer ATM models
The pro-Russian group CyberBerkut hacked into PrivatBank, one of Ukraine’s largest commercial banks, and published stolen customer data on VKontakte, a popular Russian social media website. From there, CyberBerkut prompted PrivatBank customers to transfer their money to Russian state-owned banks
A collective of threat actors targeted the Road Traffic Management Corporation, stealing R8.5 million through a series of fraudulent transfers. Over R4 million was recovered, and several of the instigators were successfully apprehended
The European Central Bank (ECB) announced that threat actors had breached the security of one of their databases, which contained email addresses and other contact data submitted by people registering for events at the financial institution. The ECB stated in an announcement that the majority of the stolen information was encrypted, and that no internal systems or sensitive market data had been compromised due to the database in question being separate from those systems. It was released that an estimated 20,000 people had their information exposed via non-encrypted forms
The Metel banking Trojan, which was first unveiled in 2011, was repurposed by a cybercrime ring in 2015 in order to steal from bank ATMs (and, eventually, influence the Russian exchange rate.) The threat actors utilized spearphishing emails and browser vulnerabilities to deliver Metel, also known as Corcow, and access the bank’s systems before pivoting into areas that allowed them to roll back ATM transactions. In February, Energobank became a victim to a Metel infection which permitted the hackers to place over $500 million in currency orders, making the ruble volatile (between 55 and 66 rubles per dollar for close to 14 minutes.)During this time, Metel had infected 250,000 devices and more than 100 financial institutions
Records for nearly 80 million customers were stolen from Anthem, a U.S. healthcare insurer, after hackers deployed a successful spear phishing campaign that granted access to 90 of the organization's systems, which included its back-end database. The stolen data was taken over the course of several weeks and included personal information, such as social security numbers. A subsequent report by the California Department of Insurance pointed to a national government as the most likely culprit for the attack, and revealed that Anthem was exposed for a year before the compromise was discovered
Starting in June the Shanghai Composite Index began to plummet, and by mid-month it had plummeted by 13%. Chinese stock markets continued to fall throughout July and August, and again in January and February 2016. Although there is no public evidence, speculation has circulated that the initial sudden crash may have been caused by a cyberattack
A hacktivisit group, DownSec Belgium, shut down the website for Belgium’s National Bank for a morning by leveraging DDoS attacks. Little information has been reported about the attack, but it followed similar DDoS attacks by the same group against the websites for the Belgian Federal Agency for Nuclear Control, the country’s Crisis Center, and its federal cyber emergency team
An anonymous source leaked over 2.6 terabytes of information from the Panamanian law firm Mossack Fonseca to the German newspaper Süddeutsche Zeitung. The journalists shared the 11.5 million leaked documents with a dozen global news organizations, which subsequently published a wave of stories regarding the revealed money laundering and tax evasion. Ramifications of the leak included the resignation of the Icelandic prime minister, numerous tax evasion investigations, and Mossack Fonseca shutting down permanently
In May, hacktivists took down the Bank of Greece’s website for a short period of time, afterwards, did the same to the central banks of Mexico, Panama, Kenya, and Bosnia and Herzegovina. Anonymous claimed responsibility as part of Operation Icarus, which has stated to be a campaign against the world's central banks
Beginning in February, $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange. The threat actors involved also stole PII from 30,000 customers. The South Korean government attributed the attack to North Korea. In January 16, 2018, Recorded Future, a security firm known for analyzing state-sponsored attacks, confirmed that the Lazarus Group in the North Korean government was behind the thefts
An estimated $5.6 million in cryptocurrency was stolen from YouBit, a South Korean cryptocurrency exchange. Afterwards, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attacks
PesaLink, a jointly-owned payment transfer platform used widely by the bulk of Kenya's commercial banks, was the victim of a cyberattack. An official from the company claimed that the attack was halted successfully and that there was no resulting loss of funds or customer data
In January, threat actors attempted to steal $19 million from a private Costa Rican financial institution. In a submission to the United Nations Security Council Panel of Experts, the Costa Rican government confirmed that an investigation was launched by the Office of the Public Prosecutor’s Division on Fraud
ABN Amro, Rabobank, and ING were all the targets of cyber-based disruptions to online and mobile banking services. An 18 year old boy from the Dutch city of Oosterhout was arrested in February for the attack after he made claims online that he bought a “stresser” tool for €40 that, in turn, gave him the capability to send a deluge of traffic to targeted sites
City Union Bank in India suffered a breach that saw $1 million be transferred to a Chinese institution. The threat actors involved attempted to make three transactions totalling $2 million by also money to locations in Dubai and Turkey, but were halted by both City Union Bank and the corresponding bank on the receiving end of the transfer, highlighting the importance of financial sector cybersecurity for organizations of all sizes
A security firm reported a banking Trojan called Janeleiro that has been targeting corporate users in Brazil since 2019. The malware steals the personal information and banking credentials of users through fake pop-ups that imitate commonly-used Brazilian banks websites
Multiple credit unions in the United States were hit by spear phishing email campaigns that impersonated compliance officers from other credit unions. Under the Bank Secrecy Act (BSA), financial institutions are required to have dedicated compliance personnel responsible for reporting suspicious transactions and potentially fraudulent activity to the U.S. government, making the campaign that much more believable to receipients. Emails sent to these compliance officers contained a PDF with a malicious link
The Bank of Valletta, Malta’s largest and oldest bank, shut down operations after an attempted cyber theft of €13 million. Threat actors made multiple transfer requests from the Maltese bank to accounts based out of the United Kingdom, United States, Czech Republic, and Hong Kong. The bank’s employees revealed that the fraudulent activity occurred during their daily facilitation of international orders. Within the hour, the Bank of Valletta notified other banks in an attempt to freeze the transactions. It also closed all its branches, halted usage of its ATMs and point-of-sale systems, and stopped all other electronic services, which were restored within 48 hours
VISA cautioned that warned that sophisticated hackers were deploying web shells on compromised servers to exfiltrate credit card information stolen from online store customers. At least 45 eSkimming attacks occurred in 2020 using web shells alone
In February, Nedbank, a major bank based out of southern Africa, notified its customers of a breach of a third-party service provider hired by the bank for its marketing. The personal information of 1.7 million customers of the bank was compromised via this breach
Hackers transferred $35 million from a Hong Kong-based bank using "deep voice" technology to clone a bank director’s speech. $400,000 of the stolen funds was traced back to having gone into U.S.-based accounts held by Centennial Bank
In the winter, threat actors targeted PayPal accounts to carry out unauthorized purchases, estimated to be worth tens of thousands of euros, by exploiting PayPal’s Google Pay integrations. This breach mainly impacted German PayPal users
A new SMS-based phishing scheme targeted PayPal in an attempt to gain access to a variety of business and personal accounts. The messages impersonated the payment processor, warning users that their accounts have been limited and that they need to verify their identities immediately or risk account deletion
Claiming over 30,000 victims across the States, the cyberattack on Microsoft Exchange servers was first discovered by a security testing firm in January. The hackers, named "Hafnium", exploited four zero-day vulnerabilities in the servers to subsequently claim hundreds of thousands of victims around the world. This included the European Banking Authority and Chile's Comisión para el Mercado Financiero
The Reserve Bank of New Zealand suffered a data breach after hackers unlawfully accessed its info via one of the bank's third-party file sharing services
In January, the largest financial institution in Finland, OP Financial Group, suffered a cyberattack that disrupted its services by impacting logins to the site
The cryptocurrency platform Wormhole lost an estimated $322 million worth of Ether currency when a hacker exploited a vulnerability in the platform’s smart contracts, making it the second largest hack of a decentralized platform to date
Researchers began reporting on the banking Trojan Fakecalls, which has the ability to "speak" to victims and pretend to be a employee of the bank. Fakecalls mimics the mobile apps of popular Korean-based banks. The Trojan works by gaining access to a victim's contacts, microphone, camera, and location, with the end goal to glean payment data or confidential information from the victim
Cybercrime was accurately predicted to cost the world $8 trillion USD in 2023. As best put by Cybercrime Magazine, "If [cybercrime was] measured as a country, then it would be the world’s third largest economy after the U.S. and China."
In 2024 and beyond, the professional forecast is that global cybercrime damage costs (including within the financial sector) will skyrocket by 15% year-over-year for the next three years, reaching a staggering $10.5 trillion USD annually by 2025. This is a significant increase from the $3 trillion USD in damages reported in 2015. When broken down, these costs equate to $667 billion a month, $154 billion a week, $21.9 billion a day, $913 million an hour, $15.2 million a minute, and $255,000 a second.
These costs include, but are not limited to:
The damage or destruction of information
Stolen funds
Lost productivity due to post-breach investigations
Theft of intellectual property, personal data, and financial data
Fraud and embezzlement
General post-attack disruptions to organizational workflows
Necessary forensic investigations
The restoration (or deletion) of breached systems
Long-term reputational ramifications
In the 2022 Cybersecurity and Financial System Resilience report, the Federal Reserve Board underlined all potential risks and emerging threats that impacted the state of the North American economy; cybersecurity concerns (namely concerns for the financial sector) were at the forefront of this list. Both Ransomware-as-a-Service (RaaS) and Distributed Denial of Service (DDoS) attacks were named as specific threats to financial institutions.
Cybersecurity within the financial sector is not one-size-fits-all.
At Packetlabs, our flexible offerings encapsulate:
DevSecOps: DevSecOps is integrated early in your development cycle and acts as an extension of your development team to flag vulnerabilities within your existing detected management systems
Red Teaming: Red Teaming is a full-scope simulated attack designed to get a holistic review of the level of risk and vulnerabilities across people, processes, and tech in an organization
Purple Teaming: Purple Teaming is our collaborative testing exercise where the Packetlabs red team works with your internal security operations team (or blue team) to bridge the gap between offensive techniques and response efforts
Cyber Maturity Assessments: A Cyber Maturity Assessment supports the tactical direction of your cybersecurity strategy. As the first step in strengthening your security posture, this assessment generates the roadmap to strengthen your overall security program
OT Assessments: OT Cybersecurity Assessments simulate the likelihood of an attacker reaching the control centre from an external and internal perspective with production-safe testing
Ransomware Penetration Testing: A ransomware penetration test evaluates the preparedness and risk of a ransomware attack and identifies gaps in people, processes, and technology, to determine the likelihood and readiness for a ransomware attack
Cloud Penetration Testing: Multiple perspectives help with strengthening your security posture. These include Cloud Penetration Testing, which simulates an attacker in the environment, and a Cloud Penetration Review, which provides insights into cloud-specific vulnerabilities originating from an insecure configuration. Each of these services can be conducted separately or, for maximum effectiveness, combined as an enhanced cloud security bundle
Objective-based Penetration Testing: Following a preliminary penetration test, objective-based testing conducts a more advanced simulated cybersecurity attack. The test is conducted by persistent ethical hackers who deploy multiphase attacks to gain access to your organization's data so that you can discover gaps and vulnerabilities unique to your organization and test your ability to detect and respond to threat actor
Application Security Testing: More targeted in scope than a regular pentest, application security testing uncovers vulnerabilities residing in your web and mobile apps. Application Security Testing actively explores your application from an attacker’s perspective
Infrastructure Penetration Testing: An infrastructure penetration testing assessment uncovers vulnerabilities in your IT and network systems and provides a tailored approach to each environment
These are in addition to the Packetlabs Portal, which enables you to quickly view findings, prioritize efforts, request retests after remediation, and monitor progress.
Financial services is one of the most lucrative industries for threat actors to target in 2024; if an attack compromises critical organizational files or its customers’ private information, the consequences can be both long-term and costly. Data recovery alone can bankrupt some businesses, particularly is there are no viable data backups available. That does not include the upfront costs of service outages and potential reputational ramifications.
Threat actors are aware that those within the financial sector are likely to pay ransom in order to regain their customers' information... and are also aware that many financial organizations have the resources necessary to meet large demands.
If you're reading this, you're already in the market for a pentest. Contact our team today for your free, zero-obligation quote or download our Buyer's Guide below to take the next step.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.