Financial data breaches accounted for 232 million leaked records
Since January 2018, financial companies have suffered 2,260 data breaches, affecting over 232 million records.
Our team of researchers analyzed data from 2018 to September 2023 to find out the biggest cause of these breaches, how many records have been affected each month and year, the most affected financial organizations, and which US states see the most financial breaches.
Our study covered breaches that affected millions of people, some of which led to the exploitation of personal financial data, putting many victims out of pocket. Bank details, Social Security numbers, credentials/passwords, and tax identification numbers are just some examples of the types of data bad actors are stealing from financial institutions.
2022 saw the highest number of financial data breaches so far with 615 in total–a 59 percent increase on 2021’s figures (388). But 2023 looks set to exceed this with 521 data breaches recorded up until September. The number of records involved is also on the up. Records affected increased from 24.9 million in 2021 to 29.3 million in 2022. 2023 looks set to at least double these figures, having already seen a whopping 43.6 million records impacted in financial data breaches.
Key findings:
2,260 financial data breaches from January 2018 to September 2023
232,101,892 individual records were affected as a result of these breaches
2022 was the biggest year for financial breaches with 615 reported
2019 was the biggest year for the number of records affected with over 101 million in total. The vast majority of these (100m) stemmed from the Capital One breach
Banks have seen the most data breaches, closely followed by insurance companies and investment companies
Hacking was the most common type of breach, accounting for 32 percent of breaches (734 out of 2,260)
Over the last two years, we have introduced breaches via a third party as a category. This is due to a number of large-scale attacks affecting hundreds of companies at a time (the MOVEit Transfer breach as an example). In 2022, 98 breaches featured in this category, while 2023 has already seen 199
While all 50 US states require mandatory reporting of data breaches, there are some variations. For example, some have different requirements depending on the number of records affected. In Alaska, if more than 1,000 people need to be notified of a breach, consumer reporting agencies must also be notified. Equally, only some states have publicly-available lists of the data breach notifications they have received. Therefore, the figures we have found are likely to just scratch the surface of the true extent of financial data breaches.
The biggest years for financial data breaches
2022 was the biggest year for financial data breaches with 615 in total. But 2023 looks set to surpass this (521 have been reported already). These figures are in part due to the third-party breaches noted above.
If you were to exclude the 100 million records affected in Capital One’s 2019 data breach, breached records have risen dramatically over the last four years (from 3.5 million in 2018). 2020 and 2022 both saw figures of just over 29 million and 2021’s figure was slightly lower at just less than 25 million.
What is 2023 looking like for financial data breaches?
As we enter the final quarter of the year, 2023 has seen 521 data breaches with 43,596,136 records impacted as a result. Data breaches within the financial sector are on an uphill trajectory with the total number of breaches this year likely to exceed figures from 2022. Many large-scale third-party attacks occurred throughout 2022 and 2023 (such as the MOVEit transfer breach in May 2023). Hackers are targeting companies with large datasets. And financial data is arguably some of the most valuable data to get your hands on.
Data breaches by the type of financial company
When we break down the data by the type of financial company impacted by the data breach, we can see the types of organizations that are being targeted and how this has changed on a year-by-year basis.
Overall, banks are the most heavily-targeted organizations, accounting for 32 percent (720) of all the financial data breaches we’ve tracked since 2018. They are followed by insurance companies (563 breaches) and investment companies (201 breaches).
Credit unions have seen a growth in attacks rising from just 10 attacks in 2018 to 47 in 2022. In contrast, accounting and tax firms have seen fewer attacks on a yearly basis, dropping from 20 attacks in 2018 to 9 in 2022.
Banking saw the most records impacted, but most of these–100m of 107.8m–were from the Capital One breach. Insurance companies have also seen a large volume of records impacted, with more than 55.4 million affected over our reporting period. 29.7 million of these records were affected in 2023.
Organizations specializing in savings and loans and financial technology firms have seen some of the biggest increases in records affected. The former saw 7.7 million records impacted in 2022 (compared to just over 788,000 in 2021) while the latter noted 9.1 million impacted records in 2022 (compared to 143,500 in 2021). Both have noted high figures for 2023 (3.5 million and 7.1 million respectively). 2023 has also seen an uptick in records stolen from wealth management (1.1 million) and retirement/pension firms (1.7 million).