Financial breaches accounted for 153.3 million leaked records from January 2018 to June 2022 (1)

Since January 2018, financial companies have suffered nearly a thousand data breaches, affecting over 153.3 million records.

Our team of researchers analyzed data from 2018 to June 2022 to find out the biggest cause of these breaches, how many records have been affected each month and year, the most-affected financial organizations, and which US states see the most financial breaches.

Our study covered breaches that affected millions of people, some of which led to the exploitation of personal financial data, putting many victims out of pocket. Bank details, Social Security numbers, credentials/passwords, and tax identification numbers are just some examples of the types of data bad actors are stealing from financial entities.

2021 was the worst year for financial data breaches with a 12 percent increase on 2020’s figure (rising from 233 breaches to 260). So far, 2022 does seem quieter in terms of the number of breaches being carried out (just 37 breaches have been recorded up until the end of June). However, the median number of records impacted is the highest it has been since 2018, and with many breaches reported several months after they occurred, it’s likely these figures will rise over time.

Key findings:

  • 982 financial data breaches from January 2018 to June 2022
  • 153,334,145 individual records were affected as a result of these breaches
  • 2021 was the biggest year for financial breaches with 260 reported (the second-highest was 2018 with 247)
  • 2019 was the biggest year for the number of records affected with over 101 million in total (2021 had the second-highest but with a much lower figure of 23.2 million)
  • 2019’s vast record count stems primarily from the breach on Capital One, N.A. where 100 million records (made up of payment and card details) were stolen from victims
  • 2022 is the biggest year (so far) for the median number of records impacted in financial data breaches–3,633
  • Insurance companies have seen the most data breaches, closely followed by banks and investment companies
  • Hacking was the most common type of breach, accounting for over 50 percent of breaches (508 out of 982)
  • Ransomware attacks are a growing threat for financial data breaches, having increased significantly in recent years

While all 50 US states have mandatory reporting of data breaches, there are some variations. For example, some have different requirements depending on the number of records affected, e.g. in Alaska, if more than 1,000 people need to be notified of a breach, consumer reporting agencies must also be notified. Equally, only some states have publicly-available lists of the data breach notifications they have received. Therefore, the figures we have found are likely to just scratch the surface of the true extent of financial data breaches.

The biggest years for financial data breaches

2021 was the biggest year for financial data breaches with 260 in total. 2018 also recorded a high number of breaches with 247 reported but had the lowest number of records impacted with just 3.5 million.

If you were to exclude the 100 million records affected in Capital One’s 2019 data breach, breached records have been increasing year on year from 3.5 million in 2018 to 18.3 million in 2020 and a further increase to 23.2 million in 2021.

Equally, if we look at the median number of records affected each year, there were sharp increases from 2018 to 2019 (rising by 145 percent from 585 to 1,433) and from 2019 to 2020 (rising by 100 percent from 1,433 to 2,872). This reduced slightly from 2020 to 2021 (dropping by 1.5 percent to 2,828) but has increased by 28 percent from 2021 to 2022 (rising to 3,633). This adds to the fact that attacks appear to be becoming more targeted in their approach.

What is 2022 looking like for financial data breaches?

During the first six months of 2022, there have been 37 reported financial data breaches with 7,056,706 records affected. While these figures may appear small now, it is likely that figures will rise in the coming months. Nevertheless, across our data breach and ransomware reports, we are noticing a dip in 2022. This is perhaps due to more targeted attacks being carried out. We can see this with the ransomware attack on the Professional Finance Company, where over 650 healthcare providers and a growing number of victims (1.9 million and counting) are reported to have been affected by this attack.

Data breaches by the type of financial company

When we break down the data by the type of financial company impacted by the data breach, we can see the types of organizations that are being targeted and how this has changed on a year-by-year basis.

Please note: a company has been categorized based on its primary service. For example, some investment companies may also offer advice on insurance policies but have been categorized as an investment company. 

Overall, insurance companies are the most heavily-targeted organizations, accounting for 23 percent (223) of all the financial data breaches we’ve tracked since 2018. They are followed by banks (170 breaches) and investment companies (162 breaches). However, on a year-on-year basis, it is insurance companies that have seen the most growth. Bank-based attacks peaked in 2020, while investment attacks dipped in 2020 but rose again in 2021.

Mortgage companies have also seen a growth in attacks, rising by 33 percent (from 15 to 20) from 2020 to 2021. In contrast, savings and loans companies have seen fewer attacks on a yearly basis, dropping from 25 attacks in 2018 to 11 in 2021.

When it comes to the records impacted in these attacks, banking saw the most impacted, but most of these–100m of 104.7m–were from the Capital One breach. Insurance companies have also seen a large volume of records impacted, with nearly 20 million affected over our reporting period.

If we look at the median records impacted by type of financial organization, the most heavily-impacted organizations change. Crypto (53,080) and internet banks (3.75m) have the highest medians, but this is due to only a few companies being attacked in their respective categories, which skew the medians here. However, across a larger number of breaches, it is retirement/pension companies that see the highest median records affected: 22,661.

This is significantly higher than the likes of insurance (with a median of 1,527), banks (with a median of 2,401), and investment companies (with a median of 1,076). And a lot higher than all of the other categories we’ve covered–accounting and tax (1,999), brokerage firms (4,365), credit unions (5,671), financial advisors (357), financial technology (1,103), mortgage companies (1,928), and savings and loans (1,479).

The biggest-known financial data breaches from January 2018 to June 2022

According to our findings, there have been 13 financial data breaches in which one million or more records have been impacted. These are:

  • 2019, Capital One, N.A. = 100 million records affected: A hacker illegally accessed and obtained 100 million Capital One credit card users’ personal and banking information due to a misconfiguration of a firewall. This allowed the intruder to access user data stored by Capital One on Amazon Web Services.
  • 2021, Cash App Investing, LLC = 8.2 million records affected: Customers of Cash App had their personal data compromised after a former employee downloaded internal reports without permission. The data exposed included their brokerage account number as well as their recent trading activity.
  • 2020, Dave, Inc. = 7.5 million records affected: A malicious party gained unauthorized access to Dave, Inc (a personal finance app).
  • 2020, Infinity Insurance Company = 5.72 million records affected: Upon investigation, Infinity Insurance discovered unauthorized access to files on certain company servers within their network across two days.
  • 2021, Insurance Technologies Corporation = 4.34 million records affected: Insurance Technologies Corp. was forced to pay $11 million in a data breach class action with the U.S. District Court. The company failed to adequately protect and secure customer information which resulted in personal information being exploited by an unauthorized party.
  • 2022, Elephant Insurance Services, LLC = 2.76 million records affected: After suspecting unusual activity on their network, Elephant Insurance determined that consumer information may have been viewed or copied from their network including names, driver’s license numbers, and DOBs.
  • 2021, Lakeview Loan Servicing, LLC = 2.53 million records affected: This financial breach caused uproar when Lakeview Loan Servicing failed to notify the affected consumers for three months. Class members suffered out-of-pocket expenses as well as their personal information being compromised.
  • 2022, the Professional Finance Company = 1.9 million records: Hit by a ransomware attack in February 2022, debt collection firm, the Professional Finance Company, reported to the U.S. Department of Health and Human Services that more than 1.9 million patients’ records were impacted.
  • 2022, Texas Department of Insurance = 1.8 million records affected: Personal information of nearly 2 million Texans was exposed and publicly available for nearly three years due to a glitch in the code of the department’s web application.
  • 2021, Horizon Actuarial Services, LLC = 1.54 million records affected: In this ransomware attack, a hacking group was paid an undisclosed amount of money in exchange for stolen information to be deleted and not distributed or misused. Two computer servers were accessed without authorization.
  • 2021, Flagstar Bank (third-party Accellion) = 1.54 million records affected: It took Flagstar six months to recognize that there had been unauthorized access to its network, resulting in 1.5 million customers having their Social Security numbers stolen.
  • 2018, SunTrust Banks, Inc = 1.5 million records affected: A former employee stole printed copies of client contact lists including names, addresses, phone numbers, account balances, and emails.
  • 2020, Arthur J. Gallagher & Co. = 1.14 million records affected: Gallagher detected a ransomware event impacting their internal systems. Hackers obtained high-profile personal customer data including passports, tax identification numbers, credit card information, electronic signatures, usernames, and passwords.

These highest-ranking financial data breaches covered a range of data breach types, including hacking, ransomware, disclosure, and insider breaches. See the graph below on what was the most popular data breach type used.

Hacking has proven to be the most popular method for data breaches with more than half of breaches occurring this way (508 out of 982 breaches). Hacking attacks increased by 16 percent from 2019 to 2020 and by over 30 percent from 2020 to 2021.

Some of the biggest increases in recent years have come from ransomware, which was the source of 5 breaches in 2018, 2 in 2019, 17 in 2020, and 26 in 2021. These types of breaches, in which malicious actors demand a paid sum in return for destroying or safely returning stolen data, are becoming more popular. This is something we have noted in our ongoing tracking of US ransomware attacks, whereby hackers are using “double-dip” extortion tactics. This involves bad actors encrypting systems to cause crippling downtime for organizations while also stealing data that they can hold to ransom or sell elsewhere.

In contrast, we are seeing a decrease in physical breaches, with zero reported in 2020 and 2021. This reflects the movement of many documents to online formats, which, while convenient, puts these documents at higher risk of exploitation via hacking–as we can see.

The top 5 worst-hit states for financial data breaches and records impacted

If we take a look at the number of breaches by US state, we can see that California had the most by far, accounting for 115 (almost 12 percent) of the 982 data breaches.

Financial data breaches and records affected by year and state

 TOTAL20182019202020212022 (to June)
StateTotal # of BreachesTotal # of Records AffectedPopulation of the State# of Records Affected per 100,000 PeopleTotal # of BreachesTotal # of Records AffectedTotal # of BreachesTotal # of Records AffectedTotal # of BreachesTotal # of Records AffectedTotal # of BreachesTotal # of Records AffectedTotal # of BreachesTotal # of Records Affected
Alabama135,830,3815,039,877115,68549,429471,48835,733,064216,40000
Alaska10732,67300000001000
Arizona7203,8297,276,3162,801101825104203,00400
Arkansas35033,025,89117100000250300
California1158,733,25639,237,83622,25716100,27224170,707298,025,32940263,8406173,108
Colorado152,272,6815,812,06939,1033421,867428,2155323,65411,918,941
Connecticut18220,7293,605,5976,122453,865445,624108114,23217,008
Delaware72,538,1881,003,384252,963175231672812,537,26100
District of Columbia9156,106670,05023,2981045,671214,6372135,79800
Florida42866,38421,781,1283,9781316,391822,9677694,22214132,80400
Georgia213,110,17410,799,56628,79971,504,62454,975649,12431,551,45100
Hawaii360,3401,441,5534,18600155,8400024,50000
Idaho117,4381,900,92391700117,438000000
Illinois571,288,53912,671,46910,1691558,156711,960161,194,1961824,22710
Indiana35886,0016,805,98513,01815818,35759,6036379857,5401122
Iowa26372,2573,193,07911,65867,007740,924326,83410297,49200
Kansas8191,6392,934,5826,5300011,639319,2114170,78900
Kentucky737,4464,509,39483021,57311,52711,548223,21619,582
Louisiana6329,7054,624,0477,13000242,3851170,4263116,89400
Maine32,9141,372,2472120022,03800187600
Maryland30214,7026,165,1293,483103,77314121,47841,226288,22500
Massachusetts41349,7936,984,7235,00814274,95988,109519,7331145,03931,953
Michigan251,867,66610,050,81118,58244,304565,258694,81881,697,53425,752
Minnesota29823,1545,707,39014,42382,346593,960828,0817698,5921175
Mississippi321,7642,949,96573817,69010114,0740000
Missouri16503,8656,168,1878,1694819611,298006491,74800
Montana41,9101,104,27117324890011,311001110
Nebraska1160,3181,963,6923,072612,241341,4010013,53113,145
Nevada103,143,99100000100000
New Hampshire97,5171,388,992541329811116847,05000
New Jersey33304,1249,267,1303,28294,24478,269927,5338264,07800
New Mexico5242,5732,115,87711,464000020212,8251229,748
New York80916,59919,835,9134,6212188,36415123,97321262,10521381,850260,307
North Carolina18320,15410,551,1623,0344105,99032,378621,6584190,12810
North Dakota36,955774,94889700001016,95510
Ohio29235,81711,780,0172,0025106,256823,750910,640691,05014,121
Oklahoma8240,5943,986,6396,03517,013007233,5810000
Oregon78,207,9094,246,155193,30221,09023,9911028,202,82800
Pennsylvania48275,38712,964,0562,1241123,356815,0481588,61512116,249232,119
Rhode Island25471,095,6105012621285000000
South Carolina458,3775,190,7051,1250000211,424128,201118,752
South Dakota739,824895,3764,4480021439,8230010
Tennessee1556,0806,975,21880454,60511,513312,366437,3132283
Texas637,594,82629,527,94125,72118223,3201150,370181,053,993134,438,35031,828,793
Utah13306,6183,337,9759,18672,963323,5441220,245259,86600
Vermont45,596645,5708672025,596000000
Virginia38103,128,3068,642,2741,193,301102,6379100,199,32310146,493617,16632,762,687
Washington1536,2757,738,69246922,56058,34148,310417,06400
West Virginia15,1141,782,959287000015,1140000
Wisconsin20374,8215,895,9086,357828,6912223623,3024322,60500
Wyoming38,450578,8031,4600018,450101000
TOTALS982153,334,145 331,893,745 46,200 2473,478,700 205101,324,205 23318,281,806 26023,192,728 377,056,706

New York (80), Texas (63), Illinois (57), and Pennsylvania (48) are the other four worst-hit states. However, as all of these are among some of the most populous states in the US, this perhaps isn’t much of a surprise.

When it comes to the number of records affected, the picture does change somewhat.

Virginia comes out on top for the number of records affected, making up nearly 65 percent of records affected across all states (103 million out of 151.7m records). However, most of these come from the aforementioned Capital One data breach. As the head office is located in Virginia, the records are assigned to this state but residents from across the US will have been affected.

Nevertheless, even if we disregard the Capital One breach, Virginia would still rank in 5th place for records impacted due a further 3,128,306 being impacted in the state.

California records the second-highest number of records impacted with 8.7 million records breached, closely followed by Oregon (8.2 million), Texas (7.6 million), and Alabama (5.8 million).

Georgia, Delaware, Colorado, Michigan, and Illinois also recorded breaches of more than 1 million records.

It goes without saying that Virginia tops the charts again for the number of records affected per 100,000 people. But when we look at the remaining top states, we started to see which states may have been the most impacted by financial data breaches.

Delaware records the second-highest number of breached records per 100,000 people with 252,963 records. This was closely followed by Oregon (193,302 records affected per 100,000 people) and Alabama (115,685 records affected per 100,000 people).

These four states were the only ones to have more than 100,000 affected records for every 100,000 people of the population. For example, the next highest was Colorado with 39,103 records affected per 100,000 people, showing just how many financial records those states lost in comparison.

Methodology

In order to gain a well-rounded view of financial data breaches that have occurred over the last 4.5 years, our team searched through industry resources, state data breach notification tools, and news sources to collate an extensive list of data breaches dating back to 2018.

Where possible the breach is assigned to the year and month in which it occurred. For example, a breach may have occurred in 2020 but may have only been disclosed in 2021. We would, therefore, allocate this to 2020’s figures, as this is when the breach happened.

Each breach was assigned to a breach type where possible, quite often not enough information was disclosed about the data breach and there the breach was assigned to be unknown.

Health insurance companies haven’t been included in this report as we categorize these under health organizations in our other reports.

Data Researcher: Charlotte Bond

Sources

https://oag.ca.gov/privacy/databreach/list

https://attorneygeneral.delaware.gov/fraud/cpu/securitybreachnotification/database/

https://cca.hawaii.gov/ocp/notices/security-breach/

https://www.in.gov/attorneygeneral/consumer-protection-division/id-theft-prevention/security-breaches/

https://www.iowaattorneygeneral.gov/for-consumers/security-breach-notifications

https://apps.web.maine.gov/online/aeviewer/ME/40/list.shtml

https://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx

https://www.mass.gov/lists/data-breach-notification-reports

https://www.mass.gov/archive/data-breach-notification-letters

https://dojmt.gov/consumer/databreach/

https://www.doj.nh.gov/consumer/security-breaches/index.htm

https://www.cyber.nj.gov/threat-center/public-data-breaches/

https://attorneygeneral.nd.gov/consumer-resources/data-breach-notices

https://cybersecurity.ok.gov/breaches

https://justice.oregon.gov/consumer/DataBreach/

https://ago.vermont.gov/archived-security-breaches/?2021

https://www.atg.wa.gov/data-breach-notifications

https://datcp.wi.gov/Pages/Programs_Services/DataBreaches.aspx

https://iapp.org/resources/article/u-s-state-data-breach-lists/

https://oagtx.force.com/datasecuritybreachreport/apex/DataSecurityReportsPage

https://www.idtheftcenter.org/notified/