There’s good news about data breaches – sort of.
The 2016 Data Breach Report from the Identity Theft Resource Center finds that financial institutions saw a 26% decline in data breaches last year, though data breaches as a whole increased significantly.
Just eight credit unions are included in ITRC’s list for 2016 data breaches, comprising just 15% of all breaches in the financial sector, which itself accounted for 4.8% of total breaches. Other fields were less lucky, including the business sector, which saw 495 incidents comprising 45.3% of total breaches.
One important caveat – ITRC’s list covers direct attacks, so while FIs did see a decline, that doesn’t mean they didn’t still feel the impact of breaches against other industries, such as when merchants’ point-of-sale terminals are compromised, leading to losses for the financial institution.
“The study shows that attackers have found certain sectors more appealing than banking in 2016,” said Eric Hodge, director of Consulting at CyberScout, the Scottsdale, Ariz.-based firm that co-published ITRC’s report. “I would attribute this to the more effective regulatory environment in financial services.”
All told, data breaches rose by 40% last year, according to ITRC’s figures, from 780 reported in 2015 to 1,093 in 2016. The study shows that 52% of data breaches exposed social security numbers, while 72% of breached records were exposed due to hacking, skimming or phishing. Additionally, only 3,182 credit/debit card records were exposed in the financial services sector compared to 3.6 million credit /debit card records exposed in the healthcare industry.
“Thieves are typically after the social security numbers, which are collected by banks upon the opening of financial accounts,” said Eva Velasquez, president/CEO at the San Diego, Calif.-based Identity Theft Resource Center (ITRC). “With this information in hand criminals can now open new financial accounts, obtain loans, acquire utility accounts and even driver’s licenses.”
One reason for the decline at financial institutions? Hodge posited that cybercrooks take the size of the institution into account, adding that credit unions tend to have fewer awareness programs and less formal training than a traditional “big bank” like Bank of America.
“Your small-potatoes attacks, like ransomware or brute-force cracking attempts, happen to credit unions more often,” said Hodge. “While your sophisticated, organized attacks, like those from state-sponsored groups or organized crime, are more likely to be directed toward the large banks.”
What are the crooks after?
In the majority of data breaches and hacks, cybercriminals are after information that they can resell and resell quickly. Hodge said the “big score” for hackers is stealing payment card numbers, such as credit cards or ATM cards.
“They are surely after usernames and passwords, but generally as a means to get to the cardholder data,” said Hodge. “Identity theft is still a big problem as well, and in that case, they are generally after account numbers, social security numbers and all that verification data that a bank has, like mother’s maiden name, birthday, address and credit history information.”
There are, of course, payment card breaches that financial institutions have no control over. In January, for example, the Oregon-based SELCO Community Credit Union launched a legal complaint against Noodles & Co. SELCO claims the restaurant chain failed to impose adequate data security measures. As a result, countless members’ cards were compromised requiring costly card reissuing and the coverage of fraudulent charges. The case is pending.
Similarly,
Defense strategy
Credit unions can take proactive measure to continually educate employees and members on best practices to thwart cyber crooks, noted ITRC’s Velasquez. She summed up the best cyber-defense strategy in one word: communication.
“Communicate, communicate, communicate with any and all platforms available such as website messaging, mailed inserts and even in-bank displays,” said Velasquez. She added that financial institutions have to recognize possible threats on multiple levels. These include members as potential victims of a phishing attack, employees who might handle personal or human resources documents, and employers who need to be consciously aware of threats.
“Since 2006, financial institutions have ranked at the bottom for the number of data breach incidents,” she said. “As to what steps financial institutions take to prevent data incidents, those are covered under the Gramm-Leach-Bliley Act requiring companies defined under the law as financial institutions to ensure the security and confidentiality of this type of information.”
Hodge said credit unions should have cybersecurity checklists. For guidance, he suggested using the publication NIST 800-53, the PCI Data Security Standards (DSS) and the NCUA examiners’ guide.
“The basics will include: good internal segmentation, a stateful-inspection capability on your firewall and two-factor authentication for remote access, a vulnerability management program, a breach response program, and a good security assessment process, as well as regular training tailored to the threats you are likely to face and solid oversight.”
