Financial data breaches accounted for 153.3 million leaked records from January 2018 to June 2022

Financial breaches accounted for 153.3 million leaked records from January 2018 to June 2022 (1)

Since January 2018, financial companies have suffered nearly a thousand data breaches, affecting over 153.3 million records.

Our team of researchers analyzed data from 2018 to June 2022 to find out the biggest cause of these breaches, how many records have been affected each month and year, the most-affected financial organizations, and which US states see the most financial breaches.

Our study covered breaches that affected millions of people, some of which led to the exploitation of personal financial data, putting many victims out of pocket. Bank details, Social Security numbers, credentials/passwords, and tax identification numbers are just some examples of the types of data bad actors are stealing from financial entities.

2021 was the worst year for financial data breaches with a 12 percent increase on 2020’s figure (rising from 233 breaches to 260). So far, 2022 does seem quieter in terms of the number of breaches being carried out (just 37 breaches have been recorded up until the end of June). However, the median number of records impacted is the highest it has been since 2018, and with many breaches reported several months after they occurred, it’s likely these figures will rise over time.

Key findings:

982 financial data breaches from January 2018 to June 2022
153,334,145 individual records were affected as a result of these breaches
2021 was the biggest year for financial breaches with 260 reported (the second-highest was 2018 with 247)
2019 was the biggest year for the number of records affected with over 101 million in total (2021 had the second-highest but with a much lower figure of 23.2 million)
2019’s vast record count stems primarily from the breach on Capital One, N.A. where 100 million records (made up of payment and card details) were stolen from victims
2022 is the biggest year (so far) for the median number of records impacted in financial data breaches–3,633
Insurance companies have seen the most data breaches, closely followed by banks and investment companies
Hacking was the most common type of breach, accounting for over 50 percent of breaches (508 out of 982)
Ransomware attacks are a growing threat for financial data breaches, having increased significantly in recent years

While all 50 US states have mandatory reporting of data breaches, there are some variations. For example, some have different requirements depending on the number of records affected, e.g. in Alaska, if more than 1,000 people need to be notified of a breach, consumer reporting agencies must also be notified. Equally, only some states have publicly-available lists of the data breach notifications they have received. Therefore, the figures we have found are likely to just scratch the surface of the true extent of financial data breaches.

The biggest years for financial data breaches

2021 was the biggest year for financial data breaches with 260 in total. 2018 also recorded a high number of breaches with 247 reported but had the lowest number of records impacted with just 3.5 million.

If you were to exclude the 100 million records affected in Capital One’s 2019 data breach, breached records have been increasing year on year from 3.5 million in 2018 to 18.3 million in 2020 and a further increase to 23.2 million in 2021.

Equally, if we look at the median number of records affected each year, there were sharp increases from 2018 to 2019 (rising by 145 percent from 585 to 1,433) and from 2019 to 2020 (rising by 100 percent from 1,433 to 2,872). This reduced slightly from 2020 to 2021 (dropping by 1.5 percent to 2,828) but has increased by 28 percent from 2021 to 2022 (rising to 3,633). This adds to the fact that attacks appear to be becoming more targeted in their approach.

What is 2022 looking like for financial data breaches?

During the first six months of 2022, there have been 37 reported financial data breaches with 7,056,706 records affected. While these figures may appear small now, it is likely that figures will rise in the coming months. Nevertheless, across our data breach and ransomware reports, we are noticing a dip in 2022. This is perhaps due to more targeted attacks being carried out. We can see this with the ransomware attack on the Professional Finance Company, where over 650 healthcare providers and a growing number of victims (1.9 million and counting) are reported to have been affected by this attack.

Data breaches by the type of financial company

When we break down the data by the type of financial company impacted by the data breach, we can see the types of organizations that are being targeted and how this has changed on a year-by-year basis.

Please note: a company has been categorized based on its primary service. For example, some investment companies may also offer advice on insurance policies but have been categorized as an investment company.

Overall, insurance companies are the most heavily-targeted organizations, accounting for 23 percent (223) of all the financial data breaches we’ve tracked since 2018. They are followed by banks (170 breaches) and investment companies (162 breaches). However, on a year-on-year basis, it is insurance companies that have seen the most growth. Bank-based attacks peaked in 2020, while investment attacks dipped in 2020 but rose again in 2021.

Mortgage companies have also seen a growth in attacks, rising by 33 percent (from 15 to 20) from 2020 to 2021. In contrast, savings and loans companies have seen fewer attacks on a yearly basis, dropping from 25 attacks in 2018 to 11 in 2021.

When it comes to the records impacted in these attacks, banking saw the most impacted, but most of these–100m of 104.7m–were from the Capital One breach. Insurance companies have also seen a large volume of records impacted, with nearly 20 million affected over our reporting period.

If we look at the median records impacted by type of financial organization, the most heavily-impacted organizations change. Crypto (53,080) and internet banks (3.75m) have the highest medians, but this is due to only a few companies being attacked in their respective categories, which skew the medians here. However, across a larger number of breaches, it is retirement/pension companies that see the highest median records affected: 22,661.

This is significantly higher than the likes of insurance (with a median of 1,527), banks (with a median of 2,401), and investment companies (with a median of 1,076). And a lot higher than all of the other categories we’ve covered–accounting and tax (1,999), brokerage firms (4,365), credit unions (5,671), financial advisors (357), financial technology (1,103), mortgage companies (1,928), and savings and loans (1,479).

The biggest-known financial data breaches from January 2018 to June 2022

According to our findings, there have been 13 financial data breaches in which one million or more records have been impacted. These are:

2019, Capital One, N.A. = 100 million records affected: A hacker illegally accessed and obtained 100 million Capital One credit card users’ personal and banking information due to a misconfiguration of a firewall. This allowed the intruder to access user data stored by Capital One on Amazon Web Services.
2021, Cash App Investing, LLC = 8.2 million records affected: Customers of Cash App had their personal data compromised after a former employee downloaded internal reports without permission. The data exposed included their brokerage account number as well as their recent trading activity.
2020, Dave, Inc. = 7.5 million records affected: A malicious party gained unauthorized access to Dave, Inc (a personal finance app).
2020, Infinity Insurance Company = 5.72 million records affected: Upon investigation, Infinity Insurance discovered unauthorized access to files on certain company servers within their network across two days.
2021, Insurance Technologies Corporation = 4.34 million records affected: Insurance Technologies Corp. was forced to pay $11 million in a data breach class action with the U.S. District Court. The company failed to adequately protect and secure customer information which resulted in personal information being exploited by an unauthorized party.
2022, Elephant Insurance Services, LLC = 2.76 million records affected: After suspecting unusual activity on their network, Elephant Insurance determined that consumer information may have been viewed or copied from their network including names, driver’s license numbers, and DOBs.
2021, Lakeview Loan Servicing, LLC = 2.53 million records affected: This financial breach caused uproar when Lakeview Loan Servicing failed to notify the affected consumers for three months. Class members suffered out-of-pocket expenses as well as their personal information being compromised.
2022, the Professional Finance Company = 1.9 million records: Hit by a ransomware attack in February 2022, debt collection firm, the Professional Finance Company, reported to the U.S. Department of Health and Human Services that more than 1.9 million patients’ records were impacted.
2022, Texas Department of Insurance = 1.8 million records affected: Personal information of nearly 2 million Texans was exposed and publicly available for nearly three years due to a glitch in the code of the department’s web application.
2021, Horizon Actuarial Services, LLC = 1.54 million records affected: In this ransomware attack, a hacking group was paid an undisclosed amount of money in exchange for stolen information to be deleted and not distributed or misused. Two computer servers were accessed without authorization.
2021, Flagstar Bank (third-party Accellion) = 1.54 million records affected: It took Flagstar six months to recognize that there had been unauthorized access to its network, resulting in 1.5 million customers having their Social Security numbers stolen.
2018, SunTrust Banks, Inc = 1.5 million records affected: A former employee stole printed copies of client contact lists including names, addresses, phone numbers, account balances, and emails.
2020, Arthur J. Gallagher & Co. = 1.14 million records affected: Gallagher detected a ransomware event impacting their internal systems. Hackers obtained high-profile personal customer data including passports, tax identification numbers, credit card information, electronic signatures, usernames, and passwords.

These highest-ranking financial data breaches covered a range of data breach types, including hacking, ransomware, disclosure, and insider breaches. See the graph below on what was the most popular data breach type used.

Hacking has proven to be the most popular method for data breaches with more than half of breaches occurring this way (508 out of 982 breaches). Hacking attacks increased by 16 percent from 2019 to 2020 and by over 30 percent from 2020 to 2021.

Some of the biggest increases in recent years have come from ransomware, which was the source of 5 breaches in 2018, 2 in 2019, 17 in 2020, and 26 in 2021. These types of breaches, in which malicious actors demand a paid sum in return for destroying or safely returning stolen data, are becoming more popular. This is something we have noted in our ongoing tracking of US ransomware attacks, whereby hackers are using “double-dip” extortion tactics. This involves bad actors encrypting systems to cause crippling downtime for organizations while also stealing data that they can hold to ransom or sell elsewhere.

In contrast, we are seeing a decrease in physical breaches, with zero reported in 2020 and 2021. This reflects the movement of many documents to online formats, which, while convenient, puts these documents at higher risk of exploitation via hacking–as we can see.

The top 5 worst-hit states for financial data breaches and records impacted

If we take a look at the number of breaches by US state, we can see that California had the most by far, accounting for 115 (almost 12 percent) of the 982 data breaches.

Financial data breaches and records affected by year and state

	TOTAL				2018		2019		2020		2021		2022 (to June)
State	Total # of Breaches	Total # of Records Affected	Population of the State	# of Records Affected per 100,000 People	Total # of Breaches	Total # of Records Affected	Total # of Breaches	Total # of Records Affected	Total # of Breaches	Total # of Records Affected	Total # of Breaches	Total # of Records Affected	Total # of Breaches	Total # of Records Affected
Alabama	13	5,830,381	5,039,877	115,685	4	9,429	4	71,488	3	5,733,064	2	16,400	0	0
Alaska	1	0	732,673	0	0	0	0	0	0	0	1	0	0	0
Arizona	7	203,829	7,276,316	2,801	1	0	1	825	1	0	4	203,004	0	0
Arkansas	3	503	3,025,891	17	1	0	0	0	0	0	2	503	0	0
California	115	8,733,256	39,237,836	22,257	16	100,272	24	170,707	29	8,025,329	40	263,840	6	173,108
Colorado	15	2,272,681	5,812,069	39,103	3	4	2	1,867	4	28,215	5	323,654	1	1,918,941
Connecticut	18	220,729	3,605,597	6,122	4	53,865	4	45,624	1	0	8	114,232	1	7,008
Delaware	7	2,538,188	1,003,384	252,963	1	752	3	167	2	8	1	2,537,261	0	0
District of Columbia	9	156,106	670,050	23,298	1	0	4	5,671	2	14,637	2	135,798	0	0
Florida	42	866,384	21,781,128	3,978	13	16,391	8	22,967	7	694,222	14	132,804	0	0
Georgia	21	3,110,174	10,799,566	28,799	7	1,504,624	5	4,975	6	49,124	3	1,551,451	0	0
Hawaii	3	60,340	1,441,553	4,186	0	0	1	55,840	0	0	2	4,500	0	0
Idaho	1	17,438	1,900,923	917	0	0	1	17,438	0	0	0	0	0	0
Illinois	57	1,288,539	12,671,469	10,169	15	58,156	7	11,960	16	1,194,196	18	24,227	1	0
Indiana	35	886,001	6,805,985	13,018	15	818,357	5	9,603	6	379	8	57,540	1	122
Iowa	26	372,257	3,193,079	11,658	6	7,007	7	40,924	3	26,834	10	297,492	0	0
Kansas	8	191,639	2,934,582	6,530	0	0	1	1,639	3	19,211	4	170,789	0	0
Kentucky	7	37,446	4,509,394	830	2	1,573	1	1,527	1	1,548	2	23,216	1	9,582
Louisiana	6	329,705	4,624,047	7,130	0	0	2	42,385	1	170,426	3	116,894	0	0
Maine	3	2,914	1,372,247	212	0	0	2	2,038	0	0	1	876	0	0
Maryland	30	214,702	6,165,129	3,483	10	3,773	14	121,478	4	1,226	2	88,225	0	0
Massachusetts	41	349,793	6,984,723	5,008	14	274,959	8	8,109	5	19,733	11	45,039	3	1,953
Michigan	25	1,867,666	10,050,811	18,582	4	4,304	5	65,258	6	94,818	8	1,697,534	2	5,752
Minnesota	29	823,154	5,707,390	14,423	8	2,346	5	93,960	8	28,081	7	698,592	1	175
Mississippi	3	21,764	2,949,965	738	1	7,690	1	0	1	14,074	0	0	0	0
Missouri	16	503,865	6,168,187	8,169	4	819	6	11,298	0	0	6	491,748	0	0
Montana	4	1,910	1,104,271	173	2	489	0	0	1	1,311	0	0	1	110
Nebraska	11	60,318	1,963,692	3,072	6	12,241	3	41,401	0	0	1	3,531	1	3,145
Nevada	1	0	3,143,991	0	0	0	0	0	1	0	0	0	0	0
New Hampshire	9	7,517	1,388,992	541	3	298	1	1	1	168	4	7,050	0	0
New Jersey	33	304,124	9,267,130	3,282	9	4,244	7	8,269	9	27,533	8	264,078	0	0
New Mexico	5	242,573	2,115,877	11,464	0	0	0	0	2	0	2	12,825	1	229,748
New York	80	916,599	19,835,913	4,621	21	88,364	15	123,973	21	262,105	21	381,850	2	60,307
North Carolina	18	320,154	10,551,162	3,034	4	105,990	3	2,378	6	21,658	4	190,128	1	0
North Dakota	3	6,955	774,948	897	0	0	0	0	1	0	1	6,955	1	0
Ohio	29	235,817	11,780,017	2,002	5	106,256	8	23,750	9	10,640	6	91,050	1	4,121
Oklahoma	8	240,594	3,986,639	6,035	1	7,013	0	0	7	233,581	0	0	0	0
Oregon	7	8,207,909	4,246,155	193,302	2	1,090	2	3,991	1	0	2	8,202,828	0	0
Pennsylvania	48	275,387	12,964,056	2,124	11	23,356	8	15,048	15	88,615	12	116,249	2	32,119
Rhode Island	2	547	1,095,610	50	1	262	1	285	0	0	0	0	0	0
South Carolina	4	58,377	5,190,705	1,125	0	0	0	0	2	11,424	1	28,201	1	18,752
South Dakota	7	39,824	895,376	4,448	0	0	2	1	4	39,823	0	0	1	0
Tennessee	15	56,080	6,975,218	804	5	4,605	1	1,513	3	12,366	4	37,313	2	283
Texas	63	7,594,826	29,527,941	25,721	18	223,320	11	50,370	18	1,053,993	13	4,438,350	3	1,828,793
Utah	13	306,618	3,337,975	9,186	7	2,963	3	23,544	1	220,245	2	59,866	0	0
Vermont	4	5,596	645,570	867	2	0	2	5,596	0	0	0	0	0	0
Virginia	38	103,128,306	8,642,274	1,193,301	10	2,637	9	100,199,323	10	146,493	6	17,166	3	2,762,687
Washington	15	36,275	7,738,692	469	2	2,560	5	8,341	4	8,310	4	17,064	0	0
West Virginia	1	5,114	1,782,959	287	0	0	0	0	1	5,114	0	0	0	0
Wisconsin	20	374,821	5,895,908	6,357	8	28,691	2	223	6	23,302	4	322,605	0	0
Wyoming	3	8,450	578,803	1,460	0	0	1	8,450	1	0	1	0	0	0

TOTALS	982	153,334,145	331,893,745	46,200	247	3,478,700	205	101,324,205	233	18,281,806	260	23,192,728	37	7,056,706

New York (80), Texas (63), Illinois (57), and Pennsylvania (48) are the other four worst-hit states. However, as all of these are among some of the most populous states in the US, this perhaps isn’t much of a surprise.

When it comes to the number of records affected, the picture does change somewhat.

Virginia comes out on top for the number of records affected, making up nearly 65 percent of records affected across all states (103 million out of 151.7m records). However, most of these come from the aforementioned Capital One data breach. As the head office is located in Virginia, the records are assigned to this state but residents from across the US will have been affected.

Nevertheless, even if we disregard the Capital One breach, Virginia would still rank in 5th place for records impacted due a further 3,128,306 being impacted in the state.

California records the second-highest number of records impacted with 8.7 million records breached, closely followed by Oregon (8.2 million), Texas (7.6 million), and Alabama (5.8 million).

Georgia, Delaware, Colorado, Michigan, and Illinois also recorded breaches of more than 1 million records.

It goes without saying that Virginia tops the charts again for the number of records affected per 100,000 people. But when we look at the remaining top states, we started to see which states may have been the most impacted by financial data breaches.

Delaware records the second-highest number of breached records per 100,000 people with 252,963 records. This was closely followed by Oregon (193,302 records affected per 100,000 people) and Alabama (115,685 records affected per 100,000 people).

These four states were the only ones to have more than 100,000 affected records for every 100,000 people of the population. For example, the next highest was Colorado with 39,103 records affected per 100,000 people, showing just how many financial records those states lost in comparison.

Methodology

In order to gain a well-rounded view of financial data breaches that have occurred over the last 4.5 years, our team searched through industry resources, state data breach notification tools, and news sources to collate an extensive list of data breaches dating back to 2018.

Where possible the breach is assigned to the year and month in which it occurred. For example, a breach may have occurred in 2020 but may have only been disclosed in 2021. We would, therefore, allocate this to 2020’s figures, as this is when the breach happened.

Each breach was assigned to a breach type where possible, quite often not enough information was disclosed about the data breach and there the breach was assigned to be unknown.

Health insurance companies haven’t been included in this report as we categorize these under health organizations in our other reports.

Data Researcher: Charlotte Bond