What are the costs associated with a data breach or a cyber attack on a fintech company? Have these costs been increasing or decreasing. Are the direct financial losses – fraud from customers’ accounts – bigger than operational and reputational losses? What techniques have the attackers used in recent security incidents?
As the number of cyber attacks against financial services groups in UK has reportedly soared in the past couple of years, these questions are prompting increased concerns among fintech companies. In this article we look at some recent major cyber security incidents and see what we can learn from them.
In April this year, the payday lender Wonga suffered a large data breach – personal data belonging to 270,000 clients from UK and Poland were stolen. The breach generated undisclosed operational and reputational losses, but the company did not report any fraud from the affected customers’ bank accounts and was not fined by the Information Commissioner’s Office (ICO).
Wonga did not explain how the breach occurred – however, Marco Essomba, the iCyber Security founder, believes the method used was SQL Injection, which consists of relaying malicious code to a web application that would then make the web application execute specific commands to steal data.
In January 2017, Lloyds, Halifax and Bank of Scotland were for several days, victims of a distributed denial of service (DDoS) attack, which flooded their web sites with large volumes of artificial traffic, which caused delays in online services for thousands of customers. No fraud occurred and no personal data was reported to be stolen in the attack, which did not prompt an ICO fine either. Media reports attributed the attack to a group of hackers who tried to extort a ransom of 100 Bitcoin (£75,000 / $94,000) from a Lloyds’ top executive, in exchange for stopping the attack and revealing the security flaws they had identified at the online banking portals.
Last November, Tesco Bank suspended online transactions for all its 136,000 customers after a cyber attack that resulted in £2.5m being stolen from around 9,000 current account holders. The bank did not reveal how the cyber theft was done. Some experts suggested the fraudsters found a vulnerability in its app; others believed the attackers succeeded in gaining debit card details, or attributed the heist to a possible security issue at a third party connected to Tesco. A YouGov report estimated Tesco needed 55 days to recover after the attack and 14 weeks to return to the pre-crisis brand index buzz score.
In September – October 2016, several Indian banks were hit by a cyber attack that forced them to either replace or request users to change the security codes of as many as 3.2 million debit cards. In addition, some customers complained that large sums of money have been taken from their accounts. The banks targeted were State Bank of India and its subsidiaries, Axis Bank, HDFC Bank, ICICI Bank and Yes Bank. The breach was apparently carried through a virus or malware infection at one of the companies that operate ATMs in India.
These incidents look small in comparison with the cyber heist carried out in February 2016 on the Bangladesh Central Bank (known as Bangladesh State Bank), when $81 million was embezzled. Bangladeshi diplomatic sources revealed that hackers used Dridex malware to retrieve administrator privileged credentials from the computer of a central bank official, which they then employed to make payments via SWIFT. The attackers ordered $951million worth of transactions from which the hackers managed to actually transfer some $81million. Of all of this about $38 million was eventually recovered.
While none of the recent known cyber security incidents generated such major losses, a report on the state of IT security in the financial sector issued in March this year by Kaspersky Lab, estimates that the average cost per serious incident is $988,000 for banks and $926,000 for financial firms in general. The report lists the exploit / vulnerability in point-of-sale systems incidents as the costliest, at an average amount of around $2 million, followed by attacks on mobile devices (some $1.6 million) and targeted attacks – $1.3 million.
The report indicates that the estimated costs take into account compensation payouts to customers, lost business, damages to product premiums, additional wages for internal staff, expenses related to employing external professionals, including PR to repair brand damage. The prevention of future breaches, when customers’ data was actually stolen, generates additional expenditure with infrastructure and software improvements, along with the hiring and training of new staff.
The key advice Kaspersky Lab offers for this year, to fintech companies who want to avoid falling prey to cyber security attacks includes: increased awareness on targeted attacks likely to be conducted through third parties; proper consideration given to less sophisticated threats, which can cause huge losses at mass levels; regular penetration testing (and health checks), to identify unseen vulnerabilities; emphasis on protection rather than compliance in the allocation of IT security budgets; and adequate attention to insider threats, as some employees can be exploited by cyber attackers, or – in some instances – even decide to become criminals themselves.
The highly digitized environment where fintech companies operate brings about massive business opportunities. At the same time, it enables cybercriminals to constantly try to steal credentials to make payments or purchases and gain access to customer accounts. Hackers have access to advanced tools and they can change attack patterns by using new combinations of attack vectors.
The spectacular increase of the use of mobile devices for online banking and access to financial services has added new challenges and concerns on the cyber security agenda of fintech operators.
The UK consistently ranks as a top cyber attack destination, although many organizations do not report the full extent of attacks out of fear of bad publicity and loss of brand confidence. Given the wide range of losses generated by the attacks – business disruption; revenue and information loss; reputational and equipment damage – and the magnitude of costs, it is clear by now that cyber security is not an IT issue anymore and has become a boardroom issue.
With data protection rules changing in May 2018 (known as GDPR) and the advent of fines being introduced for the failure to report breaches to the local ICO’s, there is likely to be a substantial rise in the number of reported breaches which today must be iceberg like in its nature as many such events still go unreported and undisclosed.
In conclusion this is a sector which for a number of years will only see a further increase in media attention, drawing in more opportunistic attacks and placing even greater demand strain on the already desperate supply shortage of skilled defenders.