What We Can Learn From Recent Banking Data Breaches

Data breaches happen all the time—you just don’t hear about them. 

The endlessly churning news cycle buries cyberattacks under piles of pablum.

For a banking data breach to make the news and stay there, it has to be bad. Like, really bad.
It also must evade the victim’s damage control/security team, whose job it is to keep bad press under lock and key. 

After all, the price of a bank breach isn’t just about money. It’s about reputation and trust, which no amount of funds can recover. 

Cyberattacks are constantly in motion, and that leaves banks just two options: 1) to either ignore the trends or 2) to study them, learn from them, and do whatever it takes to prevent them. 

Today, we’ll explore three banking data breaches from 2023—some of which made headlines, though none of which stayed in the news for long. 

At .Bank, our goal is to help you understand how these cyberattacks happened, so you can take meaningful steps to ensure they never happen to you. 

Barbarians at the (Digital) Gates: A Snapshot of the Numbers

By 2025, global cybercrime is expected to carry an annual price tag of $10.5 trillion.

While the costs are unfathomable, cyberattacks are particularly devastating because their effects are seldom known immediately.

In fact, victim organizations often take months just to recognize that an attack took place. 

According to an IBM report, the average breach takes 212 days to detect—and another 75 days to contain.

With that kind of delay, hackers have an eternity to infect computers, servers, and networks. 

That’s bad news for banks, as they are the biggest repositories of confidential information, sensitive data, and, in the eyes of cybercriminals, a gold mine of money. 

The financial sector continues to be a leading target for cybercrime syndicates, and the effects are felt all around the world:

• In Europe, 78% of the 240 biggest banks got hacked in the past calendar year alone.
  
• In Australia, the breach of a financial services provider exposed the ID and passport numbers of 8 million people.
  
• In India, where cybercriminals run rampant, banking data breaches are up 50% in 2023.
  

Cybercrime is a global problem.

While entire regions are exploited, smaller areas aren’t off the hook.

Last year, the island nation of Vanuatu suffered a cyberattack that literally took its entire government offline for nearly a month.

If cyberattacks can shut down national governments, what can they do to a bank? Unfortunately, we have several recent examples to help answer that question. 

Notable Data Breaches in The Banking Sector

Sadly, when a cybercrime tragedy strikes, it’s often the big financial services firms who receive sympathy—not the “little guy.”

When huge firms like JPMorgan Chase get breached (as they did in 2010, affecting 83 million people), industry leaders scurry to figure out what happened and rectify it. But when smaller institutions (like community banks) get hit, it barely makes the local news.

Today, we’re going to focus our attention on some recent attacks, both big and small, with the goal of highlighting a hard truth: no one is safe from cybercrime, no matter their size, history, or reputation. 

1. Mascoma Bank, August 2023

In early 2023, a coordinated international cyberattack affected over 60 million people. 

The target? “MOVEit,” a popular file transfer software used by leading governments, banks, and health organizations around the world. 

When news of the attack broke, the media published countless articles spotlighting Deutsche Bank and ING among the victims. 

Meanwhile, a little-known community bank got lost in the shuffle: Mascoma Bank, a regional firm in northern New Hampshire, which suffered the very worst consequences of the attack while receiving a fraction of the media attention. 

As we’ll see, they weren’t the only community bank that got overlooked. 

Attack Method: The cybercrime group, CL0p, executed a zero-day attack on MOVEit software. 

In other words, they exploited a system vulnerability unknown to its developers, exfiltrated massive quantities of data, and extorted the companies involved. 

More specifically, the attack method appears to have been an SQL injection (SQLi), which allows attackers to view, alter, delete, steal, and publish data they otherwise couldn’t access. 

Cost: As an infamous Ransomware-as-a-Service (RaaS) group, CL0p leveraged their tools to extort egregious sums of money.

IBM data suggests that the average per-record cost of a cyberattack is $165. When that figure is applied to the (still growing) number of known victims, researchers estimate a total cost of $6.6 billion from CL0p’s attack. 

Takeaways: Given the recency of the MOVEit siege (and its continuing ripple-effects), the total impact of these attacks cannot yet be determined.

Nevertheless, there are three “rules” worth incorporating to tighten your security at key touchpoints:

1. Audit your third-party vendors. CL0p didn’t need to hack the banks themselves—they just had to take down the file transfer software the banks relied upon.
   
   Make sure your vendors have high security standards, and ask for details regarding their hacking response protocols and safeguards.
   
   Don’t take their word for it. Find out for yourself, and if you don’t like what you see, consider finding a different vendor.
   
   Ultimately, you are the last line of defense for your bank’s security. Make sure your vendors treat your data like it’s their own.
   
   
2. Never trust the silence. Sobering new evidence shows that CL0p knew about the zero-day vulnerability since 2021.
   
   In truly villainous form, they waited several years to take action, growing stronger with every passing day.
   
   The point is clear: just because the “coast is clear” today doesn’t mean you’re truly safe. As you audit your third-party vendors, put your internal processes under the microscope.
   
   Engage in regular penetration testing to assess the quality of your security (and the efficiency of your response).
   
   
3. Regularly update and patch software. SQLi vulnerabilities populate like cockroaches: the first one you see is proof that more are lurking nearby.
   
   To prevent these attacks, always patch your software to the latest version.
   
   In the IT administration world, “Patch Tuesday” is a real thing. On the second Tuesday of the month, leading software providers update their products and services. Though it’s not a national holiday, your bank should observe it as such.
   
   After all, patch management is one of the most effective security countermeasures on the market. It not only fixes bugs and improves performance, but it eliminates the vulnerabilities hackers are waiting to exploit. 

So, why did we name this section the “Mascoma Bank” attack? 

The reason is simple: in the modern age, banks of all sizes are intertwined when they leverage the same third-party vendors. An attack on one becomes an attack on them all. 

In the case of MOVEit, Mascoma Bank was just one of many small institutions that suffered alongside industry titans like Deutsche Bank and ING. 

And unlike those firms, there were few press releases or PR campaigns to save face, just this humble “Notice of Data Event” sent to their customers. 

Of course, Mascoma wasn’t the only community bank to feel the heat. Check out the growing list of known victims. 

Note: CL0p was also behind the attack on Flagstar Bank in December 2021, six months before the financial institution even knew they were breached.

As with MOVEit, the cybercriminal cabal hacked file-sharing software to expose the data of 1.5 million consumers. This was Flagstar’s second breach in less than two years. 

2. Intesa Sanpaolo, August 2023

On August 1, 2023, Italy’s cybersecurity agency discovered several abnormalities in their mainframe. 

The websites of an Italian water supply company, a public transportation company, and a national business newspaper were all shut down—alongside five major Italian bank domains. 

Within minutes, the cybersecurity team identified the cause: Russian hackers were actively disrupting Italy’s infrastructure, including their largest bank, Intesa Sanpaolo. 

Attack Method: NoName057(16)—the Russian “hacktivists” that perpetrated the breach—leveraged a distributed denial-of-service (DDoS) attack to disable Italy’s leading banks. 

In other words, they flooded the targeted websites with malicious traffic until they became totally inoperable. Beyond this particular attack, NoName075(16) frequently uses botnets—or networks of compromised devices—to launch coordinated attacks on NATO allies and Eastern European nations.

Cost: As a result of the attack, five major banks were abruptly taken offline during business hours. 

In addition to Intesa Sanpaolo, the other besieged banks included Monte dei Paschi di Siena, BPER Banca, FinecoBank, and Banca Popolare di Sondrio.

The hackers did not extract data or seek a ransom. Instead, they simply intended to show the Italian state how easily they could cripple their infrastructure.

To that end, they left a lengthy note promising to “continue to punish Italy” over long standing geo-political disagreements. 

Takeaways: On the one hand, this breach may appear rather innocuous. After all, no one seems to have lost their retirement savings or had their identities stolen. 

However, there’s a more insidious layer to this story, and it reveals a lot about the world we inhabit. Hacking isn’t terribly difficult, and large quantities of people engage in it every day. 

Some do it for sport and others for money. In this case, NoName075(16) paralyzed Italian banks purely to make a political statement. 

They hack because they’re good at it. They hack because they can. 

In fact, this cantankerous group of cybercriminals has since developed their own proprietary distributed denial-of-service technology—what they call “DDoSia.” Worse yet, they have over 45,000 subscribers on Telegram, a globally-accessible instant-messaging service.

Many of these followers actively participate in spearheading new DDoS attacks and getting paid in cryptocurrency to do so. This is like weaponized social media or text-message cybercrime. 

However you spin it, the Intesa Sanpaolo attack paints a frightening picture of the future. As “DDoS-as-a-service” becomes a reality, and hacking provides a viable income stream to any interested parties, every digital domain will become vulnerable. 

Banks aren’t securing themselves against “a few bad apples.” They’re protecting themselves against anyone with a device, internet access, and an ax to grind. 

3. Capital One and Bank of America, March 2023

Big-name banks are widely thought to be invincible. It’s part of their appeal. 

Unfortunately, both Capital One and Bank of America know that the reality is much more complicated—and unforgiving. 

In the spring of 2023, both firms were exposed through unexpected means: a cyberattack on a debt collector named NCB Management Services.

As a result, Bank of America (the second largest U.S. bank) and Capital One (the ninth largest U.S. bank) found themselves paralyzed by the gravitational pull of yet another data breach. 

Attack Method: While the exact details surrounding this case are not fully known, it’s likely that phishing opened the door to attack. 

After all, multiple hackers used legitimate credentials to penetrate the NCB network. 

Once inside the system, the attackers gained unfettered access to the debt collector’s vast troves of data, including:

• Credit card numbers (with CSC security codes). 
• Bank balances.
• Bank account numbers.
• Bank routing numbers.
• Social Security numbers.
• Driver’s license numbers.
• Employment positions.
• Salary amounts.
• First names.
• Last names.
• Email addresses.

After seizing and exfiltrating the data, hackers likely installed ransomware of some kind. 

How do we know this? In the days following the breach, NCB stated that they “obtained assurances that the unauthorized third party no longer has access to any of NCB’s data.” 

In our opinion, this is a euphemism to admit NCB paid the ransom in full. Otherwise, there’s no reason the hackers would offload the data (their collateral) until they got what they wanted. 

Nevertheless, the ransom was only the up-front cost. 

While 1.1 million people were exposed in the NCB attack, other institutions were implicated in the chaos, including Capital One and Bank of America. After all, these banks—and many other companies—regularly share information with debt collection agencies like NCB. 

After confirming the attack, Capital One informed the nearly 17,000 customers who had their data leaked. Bank of America fared much worse, as nearly 500,000 BofA credit card holders were exposed. 

Several lawsuits have since come to light. 

Cost: How do you calculate the total cost of a banking data breach? Certainly, financial losses can only constitute one part of the equation. 

If we use IBM’s figure that each stolen record costs $165, and we know 1.1 million records were stolen, we quickly calculate well over $181 million in total losses. 

While the final numbers haven’t been disclosed, the actions of NCB and Bank of America suggest they’re quite devastating. 

After all, both parties are offering two years of “free” identity protection services to their affected customers. Though a welcome gesture, it’s widely seen as too little too late. 

Worse, it glosses over the glaring reality that the banks (and the debt collector) failed to adequately protect their clients. 

As a result, their reputations took a hit while the hackers likely walked away with hush-money. While Bank of America spends over $1 billion a year on cybersecurity, it seems there’s much more to be done to protect their customers. 

The same can be said for Capital One, a company already well acquainted with cyberattacks. As you may remember, hackers already exposed over 100 million customer accounts and credit card applications back in 2019. 

History repeats itself. 

Takeaways: There are countless ways to breach a bank, but hackers only need one of those tactics to work. As we’ve discussed, they don’t even need to attack the bank itself. 

They just need to find a third-party vendor whose guard is down. Once cybercriminals penetrate a system, they can run rampant without IT teams suspecting foul play.

Indeed, such “living-off-the-land” (LOTL) attacks are both pernicious and pervasive, as we discussed in our recent overview of the top cybersecurity attacks. 

While hackers have numerous ways to invade, there are a few notable strategies to keep the barbarians outside your castle walls: 

• Ensure your third-parties are secure. As they now know, Bank of America and Capital One should have audited NCB to ensure their protocols were encrypted, secure, and loaded with reliable contingency plans.
  
  Had either bank done their due diligence, they would have been able to address vulnerabilities or reconsider their business relationship with NCB Management.
  
  This kind of tragedy is common. In fact, almost 75% of all organizations have experienced data breaches due to third-party vulnerabilities.
  
  Modern banks simply cannot be too careful with their partnerships (and the people they entrust with their good name).
  
• Promote employee cybersecurity education. According to the World Economic Forum, nearly 95% of data breaches involve some aspect of human error.
  
  It’s a frightening prospect to consider, but it’s true: your employees are both your greatest asset and your biggest liability. The same rules apply to your contactors, vendors, partners, and anyone you allow into your physical buildings or digital infrastructure.
  
  Insider threats—whether negligent or malicious—can undo the most esteemed financial institutions. Just look at Desjardin, the Canadian credit union that saw an employee deliberately exfiltrate the confidential data of nearly 3 million customers.
  
  It’s vitally important to create a work environment that promotes cyber hygiene.
  
  Help your team understand how easily confidential data can be leaked, and show them the tools cybercriminals have at their disposal, especially social engineering attacks like phishing and spoofing.
  
  Finally, don’t hesitate to restrict access controls wherever necessary.
  
  In other words, grant data privileges only to the employees that absolutely need them. This is especially true if you have a distributed workforce, as employees using remote desktop protocols (RDP) are relentlessly targeted.
  
• Incorporate Multi-Factor Authentication (MFA). Banking cybersecurity has many complexities, but its core focus is simple: to keep the bad guys out and the good guys safe.
  
  Multi-factor authentication (MFA) can help you succeed in that mission.
  
  In fact, it can help your team survive brute force attacks, which use rapid fire trial-and-error to crack login passwords and credentials. Though these attacks aren’t sophisticated, they work—and they’re capable of launching millions of login attempts in short periods of time.
  
  However, by implementing MFA into your team’s security protocols, you can mitigate the risks of relying on singular passwords and frustrate hackers around the world.

Ultimately, there are many strategies that banks must leverage in order to develop a robust cybersecurity shield. 

While many require careful research and integration, one can be implemented immediately (and deliver powerful results).

Cybersecurity Starts With Your Domain

Identity theft doesn’t just happen to individuals. Now, it happens to bank websites. 

Spoofing has gotten very sophisticated, as hackers ruthlessly copy company fonts, messaging, and even logos to fool customers into trusting fraudulent websites. 

Unfortunately, customers aren’t the only ones who are vulnerable. Bank representatives and employees are, too.

If they fall for the trick, they’ll divulge their private credentials and open the door to attack. 

At .Bank, we specialize in shutting down spoofers.

Our domains are built exclusively for banks—so you, your team, and your clients always know what’s real (and what’s not). 

The registrars we work with are all accredited by ICANN—the Internet Corporation for Assigned Names and Numbers—and additionally meet rigorous operational requirements set by us. In other words, they’re heavily vetted before we partner with them. 

Here’s why that matters: our registrars require MFA and implement security measures to ensure your domains and the accounts with access to manage them are safeguarded to prevent domain hijacking and account takeover crimes.

Welcome to .Bank

There’s a lot to learn from recent cyberattacks. 

While there are many takeaways to consider, one truth stands out: cyberattacks are becoming more common, more complex, and more targeted on the banking sector.

As we saw with the MOVEit software attack, banks of all sizes can be embroiled in the same conflict. 

With regard to countermeasures, many defense strategies are well worth your attention—including employee education, penetration testing, multi-factor authentication, and robust audits of all third-party vendors.

While these protocols take time to integrate, there’s one step you can take right now to fortify your financial institution—and it’s the easiest step of all.

With a .Bank domain name, the threat of counterfeit emails or websites abusing your company’s resources and reputation will be substantially minimized.

Instead, whenever you see .Bank, you’ll know it’s your bank. End of story. 

Find out why 800+ banks have said goodbye to open and unrestricted domains and hello to .Bank.