Breach data from Maine shows scope of bank, credit union exposures

Data from Maine reveals the extent of breaches affecting financial institutions and their customers. The largest breaches this year have affected more than 200,000 people each.

So far in 2022, at least 79 financial service companies have reported data breaches affecting 1,000 or more consumers, and the total number of consumers affected by these breaches could be as high as 9.4 million.

Those numbers come from Maine Attorney General Aaron Frey, pursuant to the state's data breach disclosure laws. The figures track the total number of people affected by each breach — not just Maine residents.

As measured by the number of people affected, the largest data breach by a bank so far this year impacted Flagstar Bank, which now faces multiple class actions over the incident. The bank told the Maine attorney general the breach affected more than 1.5 million consumers, who had their names and Social Security numbers exposed in the incident.

"For those impacted, we have no evidence that any of their information has been misused," the bank wrote in a statement. "Nevertheless, out of an abundance of caution we are offering complimentary credit monitoring services."

The Maine data provides a wide but incomplete picture of the data breaches affecting consumers this year. Maine only tracks breaches that affect at least one state resident, so the total number of financial services companies and consumers affected by breaches nationwide is certainly larger.

Only two financial service companies have reported larger breaches this year. Elephant Insurance Services in Virginia reported in May that it was hit with a breach affecting more than 2.7 million  consumers. Lakeview Loan Servicing, the fourth-largest mortgage loan servicer in the U.S., said in March that a breach that hit it last year affected more than 2.5 million consumers. Each faces at least one lawsuit over the incidents.

"Like many other organizations, Lakeview experienced a security incident in 2021," the company said in statement. "Steps were taken to immediately contain the incident, law enforcement was notified, and a thorough investigation was conducted by a forensic investigation firm. Lakeview's operations were not disrupted."

In its own statement, Elephant said it took "prompt measures to secure its systems, investigate this incident, and determine what information may be affected." The firm also said it "reported the incident to federal law enforcement and is notifying appropriate state regulatory agencies."

So far this year, at least two other financial institutions have suffered data breaches affecting more than 100,000 people. A breach at Boeing Employees' Credit Union starting in mid-June affected 344,752 consumers and their Social Security numbers.

"On June 6, BECU was informed that our third-party printing vendor had experienced a network security incident that impacted their printing and notification services for our members and involved unauthorized access to certain data of some members," the credit union said. "At that time, BECU took immediate measures to protect member information by suspending services with the vendor."

A breach at First Financial Credit Union in Southern California starting in mid-January affected 229,748 consumers and their driver's license numbers.

"As soon as we became aware of the incident, we immediately launched an investigation into the nature and scope of the incident," Ron Moorehead, president and CEO of First Financial, told the Albuquerque Journal. "A third party information technology forensic firm has been engaged to assist us and help ensure the security of our systems. The investigation remains ongoing, and will take some time to complete.

These large breaches do not reflect the typical scope of breaches affecting customers of financial institutions. Most breaches affecting financial institutions affect fewer than 5,000 people each, and many of those affect credit unions and regional banks, according to the Maine data.

Additionally, while some of the breaches are the result of insider wrongdoing, the largest tend to be the result of a threat actor extracting data from a company.

Many states publish information about data breaches affecting their residents, but the information Maine publishes is among the most detailed. For each breach, Maine reports the number of consumers affected, the type of data compromised (usually Social Security numbers, driver's license information, or passport photos), dates related to the incident, and more.

Many states also have a higher threshold for when to report an incident. For example, Oregon's attorney general only reports data breaches affecting more than 250 Oregonians and does not report the total number of consumers affected by each breach.

For reprint and licensing requests for this article, click here.
Technology Cyber attacks Cyber security Data security
MORE FROM AMERICAN BANKER