Since January 2018, financial companies have suffered 2,260 data breaches, affecting over 232 million records.
Our team of researchers analyzed data from 2018 to September 2023 to find out the biggest cause of these breaches, how many records have been affected each month and year, the most affected financial organizations, and which US states see the most financial breaches.
Our study covered breaches that affected millions of people, some of which led to the exploitation of personal financial data, putting many victims out of pocket. Bank details, Social Security numbers, credentials/passwords, and tax identification numbers are just some examples of the types of data bad actors are stealing from financial institutions.
2022 saw the highest number of financial data breaches so far with 615 in total–a 59 percent increase on 2021’s figures (388). But 2023 looks set to exceed this with 521 data breaches recorded up until September. The number of records involved is also on the up. Records affected increased from 24.9 million in 2021 to 29.3 million in 2022. 2023 looks set to at least double these figures, having already seen a whopping 43.6 million records impacted in financial data breaches.
Key findings:
- 2,260 financial data breaches from January 2018 to September 2023
- 232,101,892 individual records were affected as a result of these breaches
- 2022 was the biggest year for financial breaches with 615 reported
- 2019 was the biggest year for the number of records affected with over 101 million in total. The vast majority of these (100m) stemmed from the Capital One breach
- Banks have seen the most data breaches, closely followed by insurance companies and investment companies
- Hacking was the most common type of breach, accounting for 32 percent of breaches (734 out of 2,260)
- Over the last two years, we have introduced breaches via a third party as a category. This is due to a number of large-scale attacks affecting hundreds of companies at a time (the MOVEit Transfer breach as an example). In 2022, 98 breaches featured in this category, while 2023 has already seen 199
While all 50 US states require mandatory reporting of data breaches, there are some variations. For example, some have different requirements depending on the number of records affected. In Alaska, if more than 1,000 people need to be notified of a breach, consumer reporting agencies must also be notified. Equally, only some states have publicly-available lists of the data breach notifications they have received. Therefore, the figures we have found are likely to just scratch the surface of the true extent of financial data breaches.
The biggest years for financial data breaches
2022 was the biggest year for financial data breaches with 615 in total. But 2023 looks set to surpass this (521 have been reported already). These figures are in part due to the third-party breaches noted above.
If you were to exclude the 100 million records affected in Capital One’s 2019 data breach, breached records have risen dramatically over the last four years (from 3.5 million in 2018). 2020 and 2022 both saw figures of just over 29 million and 2021’s figure was slightly lower at just less than 25 million.
What is 2023 looking like for financial data breaches?
As we enter the final quarter of the year, 2023 has seen 521 data breaches with 43,596,136 records impacted as a result. Data breaches within the financial sector are on an uphill trajectory with the total number of breaches this year likely to exceed figures from 2022. Many large-scale third-party attacks occurred throughout 2022 and 2023 (such as the MOVEit transfer breach in May 2023). Hackers are targeting companies with large datasets. And financial data is arguably some of the most valuable data to get your hands on.
Data breaches by the type of financial company
When we break down the data by the type of financial company impacted by the data breach, we can see the types of organizations that are being targeted and how this has changed on a year-by-year basis.
Please note: a company has been categorized based on its primary service. For example, some investment companies may also offer advice on insurance policies but have been categorized as an investment company.
Overall, banks are the most heavily-targeted organizations, accounting for 32 percent (720) of all the financial data breaches we’ve tracked since 2018. They are followed by insurance companies (563 breaches) and investment companies (201 breaches).
Credit unions have seen a growth in attacks rising from just 10 attacks in 2018 to 47 in 2022. In contrast, accounting and tax firms have seen fewer attacks on a yearly basis, dropping from 20 attacks in 2018 to 9 in 2022.
Banking saw the most records impacted, but most of these–100m of 107.8m–were from the Capital One breach. Insurance companies have also seen a large volume of records impacted, with more than 55.4 million affected over our reporting period. 29.7 million of these records were affected in 2023.
Organizations specializing in savings and loans and financial technology firms have seen some of the biggest increases in records affected. The former saw 7.7 million records impacted in 2022 (compared to just over 788,000 in 2021) while the latter noted 9.1 million impacted records in 2022 (compared to 143,500 in 2021). Both have noted high figures for 2023 (3.5 million and 7.1 million respectively). 2023 has also seen an uptick in records stolen from wealth management (1.1 million) and retirement/pension firms (1.7 million).
The top 10 biggest financial data breaches from January 2018 to September 2023
Below are 10 of the biggest-known financial breaches with the highest numbers of records impacted. They are:
- 2019, Capital One, N.A. = 100 million records affected: A hacker illegally accessed and obtained 100 million Capital One credit card users’ personal and banking information due to a misconfiguration of a firewall. This allowed the intruder to access user data stored by Capital One on Amazon Web Services.
- 2022, Cornerstone Payment Systems = 9.1 million records affected: Sensitive data was left exposed on a misconfigured server that didn’t contain any security authentication for payment giant Cornerstone Payment Systems.
- 2020, Zacks Investment Research, Inc. = 8.93 million records affected: An unknown third party stole customers’ encrypted passwords, which were later circulated on a popular hacking forum.
- 2023, Managed Care of North America (MCNA) = 8.92 million records affected: MCNA suffered a ransomware attack at the hands of LockBit in February 2023. As a result, 112 insurance plans were impacted, which affected nearly 9 million consumers.
- 2021, Cash App Investing, LLC = 8.2 million records affected: Customers of Cash App had their personal data compromised after a former employee downloaded internal reports without permission. The data exposed included their brokerage account number as well as their recent trading activity.
- 2020, Dave, Inc. = 7.5 million records affected: A malicious party gained unauthorized access to Dave, Inc (a personal finance app).
- 2020, Infinity Insurance Company = 5.7 million records affected: Upon investigation, Infinity Insurance discovered unauthorized access to files on certain company servers within their network across two days.
- 2022, TMX Finance Corporate Services, Inc. = 4.9 million records affected: In March 2023, TMX confirmed that information on their systems may have been acquired from as early as December 2022 after suspicious activity was discovered.
- 2023, Alogent – Third-party MOVEit Transfer = 4.5 million records affected: Alogent was breached as a result of the large-scale attack that affected its vendor, Progress Software (developers of MOVEit Transfer).
- 2021, Insurance Technologies Corporation = 4.3 million records affected: Insurance Technologies Corp. was forced to pay $11 million in a data breach class action with the U.S. District Court. The company failed to adequately protect and secure customer information which resulted in personal information being exploited by an unauthorized party.
These highest-ranking financial data breaches covered a range of data breach types, including hacking, ransomware, disclosure, and third-party breaches. See the graph below on what was the most popular data breach type used.
Hacking has proven to be the most popular method for data breaches with one-third of breaches occurring this way (734 out of 2,260 breaches). If we discard attacks that remain unknown, card breaches (fraud involving debit/credit card details) were the second-highest attack method at 320 breaches.
Another challenge that faces the financial sector is ransomware attacks. As our recent report found, from 2018 to June 2023, ransomware attacks on the finance sector have cost the US economy $16.35 billion in downtime alone. Equally, while the number of ransomware attacks occurring in the financial sector has decreased in recent years, the number of records affected has sharply increased. In 2022, 3.5 million records were breached in ransomware attacks on financial organizations, compared to 9.2 million reported already for 2023.
In contrast, we are seeing near-extinct values for both stationary (e.g. stolen desktop computers) and portable (e.g. stolen laptops or USBs) breaches. A low but steady number were reported from 2018 to 2021, but zero attacks were seen in 2022 and just one stationary breach occurred so far this year. This highlights the switch to using online document formats, which, while convenient, puts these documents at higher risk of exploitation via hacking.
The top 5 worst-hit states for financial data breaches and records impacted
If we take a look at the number of breaches by US state, we can see that Massachusetts had the most by far, accounting for 386 (17 percent) of the 2,260 data breaches. This is largely due to a number of card-related breaches (which may only affected one person) being reported in the state.
Financial data breaches and records affected by year and state
California (213), New York (202), Texas (111), and Virginia (107) are the other four worst-hit states. However, as all of these are among some of the most populous states in the US, this perhaps isn’t much of a surprise.
When it comes to the number of records affected, the picture does change somewhat.
Virginia comes out on top for the number of records affected, making up 46 percent of records affected across all states (106 million out of 232 million records). However, most of these come from the aforementioned Capital One data breach. As the head office is located in Virginia, the records are assigned to this state but residents from across the US will have been affected.
Nevertheless, even if we disregard the Capital One breach, Virginia would still rank in 6th place for records impacted due to a further 5,926,125 being impacted in the state.
Georgia records the second-highest number of records impacted with 21.6 million records breached, closely followed by California (20.3 million), Illinois (13.8 million), and Oregon (11.7 million).
A further 15 states also recorded breaches of more than 1 million records. These were: Texas, Alabama, New York, Florida, Ohio, Colorado, Nebraska, Connecticut, Delaware, Michigan, Pennsylvania, Minnesota, Indiana, Iowa, and Louisiana.
It goes without saying that Virginia tops the charts again for the number of records affected per 100,000 people. But when we look at the remaining top states, we start to see which states may have been the most impacted by financial data breaches.
Oregon records the second-highest number of breached records per 100,000 people with 275,433 records. This was closely followed by Delaware (256,396 records affected per 100,000 people) and Georgia (202,059 records affected per 100,000 people).
Another 3 states had more than 100,000 affected records for every 100,000 people of the population. These were Nebraska (141,203), Alabama (117,079), and Illinois (107,984). At the other end of the spectrum, over the last six years Alaska has reported just 1 breach affecting 733,391 people.
Methodology
In order to gain a well-rounded view of financial data breaches that have occurred over the last six years, our team searched through industry resources, state data breach notification tools, and news sources to collate an extensive list of data breaches dating back to 2018.
Where possible the breach is assigned to the year and month in which it occurred. For example, a breach may have occurred in 2020 but may have only been disclosed in 2021. We would, therefore, allocate this to 2020’s figures, as this is when the breach happened. If this data wasn’t available, the date that the breach was reported was used instead.
Each breach was assigned to a breach type where possible. Often, not enough information was disclosed about the data breach and, therefore, the breach was assigned to be unknown.
This time around we have made a few changes. Health insurance companies have been included and third-party breaches from the last two years have been added.
Data Researcher: Charlotte Bond