Lost and stolen devices account for 1 in 4 breaches in the financial services sector

We often hear about the risks of data breaches, but it's interesting to look at some root cause statistics.

hacker matrix hacking
Credit: Thinkstock

Bitglass is a vendor in the cloud access security broker (CASB) space. What that means is that Bitglass is focused on ensuring organizations utilize strong security tools and processes to keep their data safe. It's a busy space and one in which being seen as a thought leader is important; hence, Bitglass and its competitors invest lots of effort in creating content that is broadly useful to the industry.

A case in point is the recently released financial services breach report that Bitglass undertook. The research looked at all breaches in the financial services sector since 2006, using data aggregated from public databases and government-mandated disclosures. It's actually an important piece of work, because it's very easy for people to make broad sweeping generalizations about the cause (and effect) of these data breaches, but wrapping some empirical data around the occurrences does more in terms of credibly educating the industry.

Anyway, the report found that leaks within the financial services industry almost doubled between 2014 and 2015, with that increase looking set to continue through 2016. All of the U.S.'s largest banks have suffered recent leaks, and in the first half of this year alone, five of the top 20 banks in the U.S. disclosed breaches.

Interestingly, the report looked into the most common causes of data leaks. Ever since the advent of cloud computing, I've heard pushback from financial services firms suggesting that the public cloud simply isn't secure enough for them and introduces too many risks. So is public cloud a big cause of data leaks? Well, no.

Perhaps unsurprisingly, the human element, as is so often the case, is the issue here. It seems that lost and stolen devices account for over 25% of breach events. It seems that these organizations should look to themselves -- financial services organizations appear to struggle with data protection on managed and unmanaged devices.

This human element extends further into the statistics: While hacking accounted for a disproportionate number of individuals affected by financial services breaches, only 1 in 5 leaks were caused by hacking. Other breaches were the result of more human issues -- unintended disclosures, malicious insiders and lost paper records.

Key findings from the report include:

  • 1 in 4 breaches in the financial services sector over the last several years were due to lost or stolen devices; 1 in 5 were the result of hacking.
  • 14% of leaks can be attributed to unintended disclosures and 13% to malicious insiders.
  • Five of the nation's 20 largest banks have already suffered data breaches in the first half of 2016.
  • In 2015, 87 breaches were reported in the financial services sector, up from 45 in 2014.
  • In the first half of 2016, 37 banks have already disclosed breaches.
  • Over 60 organizations suffered recurring breaches in the last decade, including most major banks.
  • JP Morgan Chase, the nation's largest bank, has suffered recurring breaches since 2007. The largest breach event, the result of a cyberattack, was widely publicized in 2014 and affected an estimated 76 million U.S. households.
  • Of the three major credit bureaus, the 2015 Experian leak was the largest, affecting 15 million individuals.

"Financial institutions are prime targets for hackers and are rightfully concerned about the threat of cyberattacks, device theft and malicious insiders," said Nat Kausik, CEO of Bitglass. "To stay one step ahead as data moves beyond the firewall, firms in this sector must encrypt cloud data at rest, control access by contextual risk and protect data on unmanaged devices."


It just goes to show, the simplest things are sometimes the biggest risks. Clearly, encryption and good password control is a key issue here but, at its essence, security boils down to people. Simply informing and advising employees of the impacts of their actions is a good way to build awareness around the issues.

This article is published as part of the IDG Contributor Network. Want to Join?

The march toward exascale computers
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies