Posted on Jun 10, 2015
A Freedom of Information request in the UK has revealed 791 data breaches occurred at most of the region's major banks since the start of 2013 (with 585 of the incidents occurring in 2014). The FOI request was spawned by Egress Software Technologies, an email encryption provider, that recently reported a 183% rise in Data Protection Act (DPA) breach investigations. The DPA, which became law in 1998, aims to protect the personal data of UK citizens.
"Across all industries, the ICO has issued civil monetary penalties in excess of £7.5m, £455,000 of which were levied against financial services organisations," wrote Egress in its press release on the matter. It should be noted that Egress stands to potentially gain more business by more stringent encryption requirements for email in the UK. However, this potential gain does not, in the eyes of most security experts, discount the need for stronger encryption use and stronger authentication practices in digital communications across a spectrum of technologies in high use by employees and customers.
It should come as little surprise to security professionals that banks are big targets given these companies are in the business of money-based transactions with huge IP footprints and large employee-bases scattered all over the world. An article in Computing names seven banks that showed up in the FOI request. The banks included: Barclays, HSBC, Lloyds Banking Group, Natwest, Nationwide, and Santander.
Given the recent news of these past breaches, we took a look at their security grades over the last six months to see if there have been improvements in the posture of the banks named in the FOI.
"It seems that financial institutions primarily have a focus on their external security postures of their most high value web application portals, such as login portals or applications that handle sensitive financial transactions," said Alex Heid, Chief of Research at SecurityScorecard. "If an attacker were to target the web applications using standard attacks, such as SQL injection, that would most likely set off an alert and it would be mitigated."
Six of the seven banks also scored well in network security and endpoint security (with grades of an 'A'). Only one of the seven scored poorly for network security (with a 'C' grade).
"A more successful and common attack vector is the use of the spear phishing email, whereby an attacker is able to convince an end user to click a malicious link or download a malicious attachment," said Heid. "Furthermore, the reuse of breached credentials from third party breaches are also a big threat to the internal networks of financial institutions."
Other problem areas for some of the banks include patching cadence, social engineering, and IP reputation. One bank showed up with a 'B' grade with one issue discovered in hacker chatter forums. Another had an 'F' for password exposure.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.