Major Cyber Attacks Targeting the Finance Industry

The finance industry is an attractive target for cybercriminals due to the large amount of sensitive data and financial assets at stake. Over the past decade, we have witnessed a series of high-profile cybersecurity incidents that have not only compromised the security of financial institutions but also shaken the confidence of consumers and investors alike. Adam Smith’s concept of the invisible hand and the principle of laissez-faire suggest that markets, when left to their own devices, will naturally find equilibrium

According to an IBM report, the global average cost of a data breach reached $4.45 million in 2023. Under the European Union’s General Data Protection Regulation (GDPR), the total fines imposed on the financial sector for breaches amounted to €1.3 billion in 2023.

However, in cybersecurity, this invisible hand is more of a vigilant overseer—a platform that constantly watches and intervenes to maintain order. In this context, SOCRadar XTI serves as this invisible hand, tirelessly monitoring hacker forums, Telegram channels, and ransomware groups’ websites to detect and mitigate cyber threats. This blog post aims to shed light on some of the most significant cybersecurity events in the financial sector during 2023 and the first half of 2024.

1. What Are the Most Common Types of Cyber Attacks Targeting Finance

SOCRadar has identified numerous allegations of cyber attacks on dark web platforms such as hacker forums and Telegram channels. These include 3,119 database sales and leakage claims, tool/service sales, initial access sales, phishing, credit card fraud, DDoS attacks, vulnerability/exploit sales, and website defacement/DDoS attacks.

Among these types of attacks, data/database sales and leaks constitute the majority at 62.52%. Credit card sales and carding methods follow as the second most common type at 15.1%, while initial access sales rank third. This highlights the prevalence of data breaches and financial fraud in the cyber threat landscape.

The financial institutions most frequently targeted by these cyber attacks are based in the United States, India, the United Kingdom, Russia, China, Spain, Brazil, Indonesia, Canada, and Germany. This geographical spread highlights the global nature of the threat landscape in the financial sector, emphasizing the need for robust cybersecurity measures worldwide.

Leading the list of threat actors is Chucky, one of the administrators of the LeakBase hacker forum, known for reposting old data breaches and publishing new ones. This individual was also the most active in terms of postings in 2023. Another notorious threat actor is IntelBroker, infamous for their claims of breaches involving Europol, Apple, and AMD. IntelBroker’s cyber intrusion allegations against the financial sector account for 11% of their total attacks across various industries.

Ransomware attacks have been particularly problematic, with several groups dominating the landscape. Cl0p leads with 24.9% of the incidents, followed closely by LockBit 3.0 at 20.9% and BlackCat (ALPHV) at 12%. Other notable groups include Black Basta(5%), Play(4%), BianLian(3.3%), and Medusa Team(2.6%). These statistics illustrate the pervasive threat ransomware poses to financial institutions, with each group employing increasingly sophisticated methods to breach security defenses. Now let’s look at the major attacks between 2023 to 2024 H1 and their implications.

2. Latitude Financial Breach 14 Million Records Stolen

In March 2023, Latitude Financial, an Australian financial services company, experienced a data breach in which hackers stole 14 million customer records. These records contained sensitive personal and financial information, including names, addresses, dates of birth, credit card details, driver’s license numbers, passport numbers, and financial statements.

3. TMX Data Breach Impacts 4.8 Million Customers

TMX Finance and its subsidiaries TitleMax, TitleBucks, and InstaLoan suffered a data breach affecting 4,822,580 customers. The breach, however, was only discovered on February 13, 2023. An investigation revealed that between February 3 and 14, 2023, hackers had stolen sensitive customer data, including full names, dates of birth, passport numbers, driver’s license numbers, federal and state identification card numbers, tax identification numbers, Social Security numbers, financial account details, phone numbers, physical addresses, and email addresses.

4. Cyberattack on Mr. Cooper Exposes Data of Nearly 15 Million

In October 2023, Mr. Cooper, the largest nonbank mortgage servicer in the U.S., suffered a cyberattack that exposed the personal information of 14.7 million individuals. The breach, occurring between October 30 and November 1, included names, addresses, phone numbers, Social Security numbers, dates of birth, and bank account numbers. The incident also caused a November technical outage, impacting customer payments.

5. LoanDepot Announces Ransomware Attack Compromising Personal Data of 16.6 Million Customers

In January 2024, the US-based mortgage and loan giant LoanDepot announced that it had experienced a ransomware attack. The company revealed that they had taken some of their systems offline in response to the attack. LoanDepot disclosed that sensitive information belonging to 16.6 million customers had been compromised. The stolen data included names, birth dates, email and postal addresses, financial account numbers, and phone numbers. Additionally, LoanDepot confirmed that Social Security Numbers were also stolen during the ransomware attack.

6. American Express Account Details Exposed

In March 2024, American Express Co. informed Massachusetts regulators that a breach at an external company might have compromised the account details of its cardholders. Although AmEx did not disclose the name of the hacked company or the potential number of affected individuals, it urged customers in a letter to monitor their accounts for any suspicious activity.

Discover the Powerful Features of SOCRadar’s Supply Chain Intelligence

SOCRadar’s Supply Chain Intelligence module enhances cybersecurity with robust features, providing organizations with unparalleled visibility into their supply chain security. Covering over 50 million companies across 373 sectors in 249 countries, this tool automates the mapping process and generates actionable recommendations.

Key features include:

• Real-time updates on the latest cybersecurity developments and trends.
• Analytics Board for monitoring third-party firms and analyzing global trends.
• Advanced alarming system for critical events and potential risks.
• Comprehensive security reports on third-party vendors.

Additionally, the module offers advanced scoring mechanisms, such as the Cyber Exposure Level and Popularity Score, aiding in prioritizing crucial suppliers. This strategic approach ensures resilience against global cybersecurity threats.

7. The Financial Sector as a Prime Target for Ransomware Groups

The financial sector continues to be a prime target for ransomware groups, with numerous high-profile breaches occurring in recent years. Ransomware attacks have not only compromised the data of major financial institutions but also threatened the privacy and security of millions of customers.

8. ALPHV/BlackCat Ransomware Attack on Tipalti Threatened Major Clients

In December 2023, the ALPHV/BlackCat ransomware group, known for sophisticated cyberattacks, targeted Tipalti, a leading FinTech company. This alleged breach compromised Tipalti and threatened its high-profile clients, including Roblox, Twitch, and X.

ALPHV/BlackCat claimed to have accessed Tipalti’s systems on September 8, 2023, stealing over 265GB of sensitive data. The attack posed significant risks, particularly to Roblox and Twitch, whose confidential information could be leaked or used for extortion.

9. LockBit Ransomware Claims to Have Leaked 1.5TB of Data Stolen From Bank Syariah Indonesia

In May 2023, the LockBit ransomware group leaked 1.5 terabytes of personal and financial data from Bank Syariah Indonesia (BSI) after ransom negotiations broke down. The compromised data includes information on approximately 15 million customers and employees of Indonesia’s largest Islamic bank. Although BSI initially attributed the service disruptions to IT maintenance, LockBit claimed responsibility for the cyberattack. Negotiation screenshots reveal that LockBit initially demanded $20 million before halting communications, despite the bank’s offer of $10 million.

10. LockBit Ransomware Implements Triple Extortion Attack, Exposes 600GB of Fullerton India Data

In May 2023, LockBit 3.0 claimed to have leaked 600GB of data from Fullerton India, after demanding a $3 million ransom. Following a malware attack, Fullerton India briefly suspended operations, but enhanced cybersecurity measures allowed them to resume services. The ransomware group listed the bank on their data leak site, claiming to have stolen loan agreements. Fullerton India’s refusal to pay led to triple extortion tactics. In a triple extortion attack, cybercriminals demand payment not only from the initial target but also from anyone affected by the potential disclosure of the target’s data.

11. Second Cyber Attack Claim in a Year

In June 2023, Fullerton India was also added to the list of victims of the Snatch ransomware gang, which claimed to have compromised an additional 430GB of data.

How SOCRadar Can Help Organizations Stay Ahead of Ransomware Threats?

Organizations must keep pace with the evolving threat landscape by adapting their security strategies. SOCRadar’s Extended Threat Intelligence solution provides real-time insights into emerging threats, enabling proactive countermeasures against cyber adversaries. Implementing multi-layered security measures is essential, and SOCRadar supports this with its Threat Intelligence, monitoring services, and advanced Ransomware Intelligence tool.

Consistent vigilance against ransomware is necessary, and SOCRadar’s Attack Surface Management helps identify and counter potential threats. Additionally, continuous employee education and training are crucial, supported by SOCRadar’s Digital Risk Protection suite, which includes VIP and Brand Protection services.

Why SOCRadar is the Invisible Hand of Cybersecurity?

Dark web monitoring is crucial for the financial industry, not only for initial threat detection but also for tracking the evolution of incidents and understanding their broader implications. The continuous activity on dark web forums serves as a stark reminder of the persistent threats facing financial institutions. Below, we examine three incidents involving renowned hacker forums, underscoring the importance of vigilant monitoring.

12. Alleged Data Breach of HSBC and Barclays by IntelBroker

In April 2024, the notorious threat actor IntelBroker announced on BreachForums that they had breached databases allegedly belonging to HSBC and Barclays. The threat actor claimed the data included sensitive information such as notary requests, security certificates, PIX keys, JKS files, security signing keys, compiled .jar files, source code stolen from GitLab, and other unsorted documents.

According to IntelBroker, the breached data included a file named “notary_request_2024[.]csv” with 512,000 lines containing detailed records. Other files allegedly contained security certificates and keys, compiled code, and various documents.

In May 2024, a month after the initial claim, IntelBroker released the data for free on the same forum, stating that a direct contractor of HSBC and Barclays was breached, compromising database files, certificate files, source code, SQL files, JSON config files, and compiled .jar files.

13. Alleged Data Leak of Truist Bank by ShinyHunters

In June 2024, multiple threat actors claimed to have leaked data allegedly belonging to Truist Bank on hacker forums. The sequence of events highlights the ongoing risk to financial institutions from cyberattacks.

Timeline of Events:

June 11, 2024: The Sp1d3r threat actor announced a significant breach involving Truist Bank, selling the data for $1 million.

June 13, 2024: Truist Bank confirmed a breach from October 2023 but clarified it was not connected to Snowflake, despite initial suspicions.

June 24, 2024: Another hacker forum post claimed all databases from the Truist breach would be sold for $75,000, by a threat actor different from ShinyHunters and Sp1d3r.

June 27, 2024: SOCRadar researchers detected that ShinyHunters had leaked data allegedly belonging to Truist Bank on BreachForums.

ShinyHunters claimed the leaked data included over 79,000 unique work email addresses, account balances, dates of birth, job titles, names, partial credit card data, and phone numbers of Truist Bank employees. Additionally, the breach reportedly exposed 65,000 employee records from IBM TRIRIGA and 22,900 records from Azure Active Directory (AAD), along with bank transactions containing names, account numbers, balances, and IVR funds transfer source code.

14. BidenCash Exposes 1.9 Million Credit Card Records

In December 2023 The SOCRadar Dark Web Team has detected a significant breach involving BidenCash, a notorious carding market active since June 2022. This breach has resulted in the exposure of 1.9 million credit card details on a hacker forum.

BidenCash has aggressively marketed its services across various hacking platforms, frequently releasing stolen credit card data to lure in more cybercriminals. These card details are typically harvested through malicious methods like website skimmers and infostealer malware.

To gain initial traction in 2022, BidenCash leaked 8 million lines of data, which included email addresses and about 6,700 credit cards. Later, in October 2022, they expanded their leaks to cover 1,221,551 credit card details.

By February 2023, BidenCash had further escalated its activities, leaking around 2.1 million credit card records on a Russian hacker forum. This pattern of increasing data breaches highlights the growing threat posed by the BidenCash marketplace.

In an era where cyber threats are constantly evolving, particularly targeting the finance industry, the importance of robust dark web monitoring cannot be overstated. The incidents involving IntelBroker, ShinyHunters, and BidenCash demonstrate the persistent risks and the need for continuous vigilance. Financial institutions must proactively monitor the dark web to detect, track, and mitigate these threats effectively.

Utilize SOCRadar’s Dark & Deep Web Monitoring capabilities to mitigate the impact of such incidents. With SOCRadar’s Dark Web News feature, you can track the latest data exposures and other incidents on threat actor channels. This feature ensures you stay informed about the latest developments and potential threats, allowing for proactive security measures.

Furthermore, SOCRadar consistently monitors cybercriminal forums for fraudulent activity. This helps identify if your private, corporate, or credit card information has been stolen and exposed in dark web channels. Through SOCRadar’s Dark Web Monitoring feature, you can check whether your sensitive data is shared in hacker forums, providing an essential layer of protection.

By leveraging SOCRadar’s Dark Web Monitoring and News services, financial institutions can strengthen their cybersecurity posture, proactively countering cyber adversaries and safeguarding sensitive data. Stay ahead of the curve and protect your organization with SOCRadar’s cutting-edge solutions.