Financial and Insurance


    Denial of Service and use of stolen credentials on banking applications
    remain common. Compromised email accounts become evident once
    those attacked are filtered. ATM Skimming continues to decline.



    927 incidents, 207 with confirmed data disclosure

    Top 3 patterns

    Web Applications, Privilege Misuse, and Miscellaneous Errors
    represent 72% of breaches

    Threat actors

    External (72%), Internal (36%), Multiple parties (10%), Partner (2%) (breaches)

    Actor motives

    Financial (88%), Espionage (10%) (breaches) 

    Data compromised

    Personal (43%), Credentials (38%), Internal (38%) (breaches)


    Filters are not just for social media photos

    We use filters in data analysis to focus on particular industries or threat actors and to pull out interesting topics to discuss. We also exclude certain subsets of data in order to reduce skew and avoid overlooking other trends and findings. This is not to say that we ignore or deny their existence, but rather we analyze them independently in other sections of this study. In this industry, we acknowledge, but filter, customer credential theft via banking Trojan botnets. Their numbers in this year’s data set show that they are not inconsequential matters, over 40,000 breaches associated with botnets were separately analyzed for the financial sector. We discuss both of these scenarios in more depth in the Results and Analysis section, but there is not much to say that has not already been said on the subjects. Below is what’s left and we will start with the common pairings of action and asset varieties.

    Keep in mind that breaches are often more than one event, and sometimes more than one of the combinations above are found in the same breach. 


    I’d rather be phishing

    When we look at the two pairings that share mail servers as an affected asset in Table 4, we can see a story developing. Adversaries are utilizing social engineering tactics on users and tricking them into providing their web-based email credentials. That is followed by the use of those stolen creds to access the mail account. There are also breaches where the method of mail server compromise was not known, but the account was known to have been used to send phishing emails to colleagues. So, while the specific action of phishing is directed at a human (as, by definition, social attacks are), it often precedes or follows a mail server compromise. And there is no law that states that phishing cannot both precede and follow the access into the mail account (there are laws against phishing, however). Phishing is also a great way to deliver malicious payloads. 

  • Table4
  • End of an era?

    Physical attacks against ATMs have seen a decline from their heyday of the early 2010s. We are hopeful that the progress made in the implementation of EMV chips in debit cards, influenced by the liability shift to ATM owners, is one reason for this decline. ATM jackpotting is certainly an interesting way to make a buck, but is not a widespread phenomenon. Figure 50 highlights the drop in Payment card data compromise from last year’s report.

    While payment card breaches are declining, personal data is showing the largest gain from the 2018 report. Focusing on financial breaches where personal data was compromised, social attacks (Everything Else), misdelivery of data and misconfigurations (Miscellaneous Errors), Web Applications and Privilege Misuse are behind over 85 percent.

  • Figure 50
  • Things to consider

    Do your part

    2FA everything. Use strong authentication on your customer-facing applications, any remote access, and any cloud-based email. Contrarians will be quick to point out examples of second authentication factors being compromised, but that does not excuse a lack of implementation.

    Squish the phish

    There is little that financial organizations can do to ensure that their customers are running up-to-date malware defenses or make them “phish-proof,” but spreading a little security awareness their way can’t hurt. And speaking of security awareness, leverage it to keep employees on their toes when interacting with emails.

    Inside job

    There were 45 confirmed breaches associated with misuse of privileges. The details were light on most of these but tried and true controls are still relevant. Monitor and log access to sensitive financial data (which we think you are already), and make it quite clear to staff that it is being done and just how good you are at recognizing fraudulent transactions. In other words, “Misuse doesn’t pay”.