The 12 biggest known data breaches involving U.S. financial services companies and companies in closely related sectors may have affected more than 65 million Americans so far this year.
A search of records collected by the Maine attorney general’s office, the Indiana attorney general’s office, the U.S. Securities and Exchange Commission and other sources revealed that those breaches have reported victim counts ranging from about 10,000 to 37 million.
Attackers used a variety of methods to get into the companies’ systems.
For a look the companies affected, see the gallery above.
What it means: You need to help clients understand the importance of picking hard-to-crack passwords, changing passwords often, monitoring financial accounts closely and taking other steps to protect themselves against strangers who may know everything from the city where they were born to their debit card security codes.
The data: The United States does not have one big, public database that lists all known breaches, and few states run breach databases that provide national impact numbers.
Because Maine and Indiana are two states that do provide national impact figures, we relied heavily on their breach report databases.
We included national investment companies, money center banks, life insurance and annuity issuers, retirement services providers, distributors, support services companies, and companies in some other sectors that have become key components of the financial system.
We excluded health insurers and regional banks, and we combined all of the many companies affected by the Cl0p ransomware group’s attack on the MOVEit file transfer system, which affected an annuity holder and pension plan participant tracking firm’s efforts to help clients locate their customers, in one entry.
Progress Software, the company that runs the MOVEit system, has emphasized that it took steps to address the MOVEit system vulnerability the instant it learned of the vulnerability.
The attacks: The attacks included traditional system hacking; phishing, or efforts to extract system access information from authorized users; and credential stuffing, or automated moves to see whether stolen passwords that work on one system might work on another.
Credit: Sergey Nivens/Adobe Stock