With news breaking of the largest bank theft ever — one that has netted as much as $1 billion from 100 banks and other financial institutions in 30 countries since late 2013 — the specter of cybercrime has reached new heights.
Russian hackers infiltrated financial institutions around the world in a complicated, long-running offensive, the cybersecurity firm Kaspersky said Monday. Most of the victims were Russian, although targets included banks in the U.S., Japan and Europe.
Meanwhile, over the year ending in October, more than 500 million financial records were stolen, the FBI reported. Perhaps just as scary, the average breach goes undetected for seven months.
The White House has taken notice. On Friday, President Barack Obama signed an executive order encouraging the government and the public to share information about cyber threats.
Meanwhile, the PureFunds ISE Cyber Security ETF (HACK), which invests in cybersecurity firms, hit an all-time high on Tuesday. The fund, introduced in November, has more than doubled in size over the past six weeks to $231 million in assets, ETF Trends reported.
Tom Giachetti, the securities attorney who writes the monthly Compliance Coach column for Investment Advisor, spoke at the recent TD Ameritrade Institutional conference on How to Survive Today’s SEC Exams: Giachetti. One of his major points: if you have an RIA firm, you must have a cybersecurity policy for your own firm, and your vendors, that withstands muster from SEC examiners.
The staggering scale and growing complexity of cyberattacks should give everyone in the financial services industry pause, along with anyone who uses a credit card. With seemingly every transaction at risk for theft by hackers, the FBI warns that all companies should be beefing up their cybersecurity efforts.
The cybersecurity firm Kroll offers tips to safeguard its data. Chief among them is the need for businesses to hire an outside party to conduct periodic risk assessments. Doing so ensures employees won’t be pressured to gloss over potential problems for fear of putting their jobs at risk.
Businesses shouldn’t rely on encryption alone to secure data because professional hackers can break the codes. It’s also important, Kroll noted, to keep up to date on security patches for software.
Finally, it’s not just the primary business that must be vigilant. In the case of Home Depot, and Target the year before, hackers accessed data by stealing passwords from vendors. Holding suppliers to the same security standards as a company’s own employees is critical.
Despite all the warnings and horrific stories, there appears to be no sign that hackers will be stopped anytime soon.
Individuals would do well to monitor their credit ratings to make sure any credit or identity theft is caught before too much damage is done. It’s also wise to frequently change passwords and to not use the same one for multiple websites.
As a reminder of what can happen to your financial data, read on to learn about six major cyberattcks from the past year targeting financial data. Hack attacks are listed in reverse order of the number of financial consumers affected.
This was the mother of all hacks, based on media coverage anyway, allegedly perpetrated by the North Korean government in retaliation for “The Interview,” a movie about journalists sent to assassinate Kim Jong-un, the reclusive country’s dictator.
(Cybersecurity experts say the hack is more likely an inside job. The FBI maintains that North Koreans are responsible and says the skeptics aren’t privy to all the evidence.)
The hack unleashed embarrassing emails between studio execs revealing their thoughts about stars and even President Barack Obama. The movie’s opening was delayed amid security concerns, and Amy Pascal, many of whose emails were leaked stepped down as co-chairwoman of the studio.
The fallout in financial terms included the theft of Social Security numbers and financial information for 50,000 employees and their dependents. The final accounting of the problems caused by the hack attack is not yet known.
5. U.S. Postal Service
It’s been a rough time to be a postal worker. The quasi-governmental unit has been drowning in debt for years as email and competing delivery services have caused problems. And then there’s the reason the Postal Service made the list: the personal information of all 800,000 employees was compromised.
Chinese hackers were the suspected culprits. Despite the fact that Social Security numbers and other data were taken, the Washington Post reported that identity theft was not believed to be the reason for the hacking. Instead, the newspaper reported that security analysts said it’s possible that the hackers might have thought the Postal Service would have a large cache of data on citizens, as is the case in China.
Forbes hasn’t had a good year, cybersecurity-wise.
In February 2014, the Syrian Electronic Army hacked Forbes through phishing attacks to administrator accounts, saying it had a list of 1 million users and threatening to sell it. The group claimed responsibiliy for the hack from a tweet posted from a reporter’s account.
The site announced this month that some visitors to its site on Nov. 28 were the targets of mischief. Most of those targeted worked for defense contractors and financial institutions. The exact number of Forbes’ readers affected is unclear, although it was a small percentage of the approximately 2 million that visit the site each day.
Forbes says the Adobe Flash problem with its “Thought for the Day” page that allowed the hacking was quickly fixed. Two cybersecurity firms said they believed the hackers were part of a Chinese group.
3. Home Depot
Just before the holidays, customers of the chain got a nasty surprise: hackers had made off with the credit- and debit-card account information for 56 million people and the email addresses for 53 million. The attack was similar to one aimed at Target the previous year that used a password of a company vendor to access the data from self-checkout lanes. Customers who used payment cards in 2014 were offered free credit reporting services.
Cyber thieves managed to steal the personal information of 80 million current and former employees and customers of the giant health insurer.
The heist netted home and email addresses, Social Security numbers and other data. Anthem has said medical records and credit card information were apparently untouched.
The attorneys general of several states have complained that the company was slow to inform those affected. There is no proof of who was behind the attack, although some experts point to Chinese thieves as the likely culprits.
In the wake of the hack, the FBI warned that the health care industry was at particular risk for cyberattacks.
1. JPMorgan Chase & Co.
The data of 83 million households was at risk during an attack last summer on the megabank. The reason for the theft is not exactly clear. The hackers were evidently in Russia. Some theories hold that the hack, with no evidence of personal identity theft, was a demonstration of what the hackers could do, perhaps in retaliation for sanctions imposed on Russia by the U.S. Customers were alerted and are on the watch for problems.
— Related on ThinkAdvisor: