The number of data breaches reported involving the loss of financial data, such as credit card or bank account details, has also increased, from 1,374 in 2021/22 to 1,536 in 2022/23 (year end March 31st) (based on submissions by organisations who have suffered a cyber-attack to the ICO).
The number of items of financial data items compromised by cyber-attacks continues to rise despite organisations being increasingly aware of the risks of cyber-attacks and investing in better software and procedures to prevent cyber-attacks.
Ben Marsh, Deputy Class Underwriter at Chaucer, says: “The sheer number of items of sensitive data being compromised in attacks is very concerning – especially since the maturity of corporate cybersecurity defences have dramatically improved in the last three years.”
“Even with all these improvements, the cyber threat continues to evolve at a rapid pace, and malicious actors continue to have the upper hand – the theft of such huge amounts of sensitive data is a reflection of this.”
“We’re seeing this now in an ever-increasing rate of ransomware attacks against networks as criminals seamlessly adopt modern malware toolsets as a method of generating revenue.”
ICO data shows there has been an increase in successful cyber-attacks against financial services providers, increasing from 259 in 2021/2022 to 722 in 2022/2023 (yearend June 30th). The Pensions Ombudsman recently revealed that it had to notify up to 17,500 individuals in an investigation into a potential data breach.
Cyber-attacks are now becoming more organised and sophisticated, and companies need to invest in improved protection and protocols to defend against threats.
Says Ben Marsh: “Capabilities like Multi Factor Authentication and Endpoint Detection and Response tools are now almost prerequisites for cyber cover today. These also have to be tested and proven, with leadership and response teams completing virtual war games to test and adjust incident response plans. In addition, staff education now is increasing too as more and more companies throw simulated phishing campaigns at their employee inboxes.”
“A lot of organisations still do not know the true extent of what data resides on their system nor do they employ the principles of least privilege. This makes them much more vulnerable to attack. Sensitive information such as passports, health information, financial transaction details, are prime targets for extortion through ransomware. This information needs to be secure and accessible only to those who need it, to help minimise a client’s risk.”
“Often, we find that businesses are retaining sensitive data that they have no use for at all – needlessly creating additional risks for them in the case of a data breach.”
Ben Marsh argues it is crucial for companies to know what data, and how much, is under their control. Poor custody of personal, health or other sensitive information could be viewed negatively by regulators – posing further risks of class actions or fines following a data breach.
Says Ben Marsh: “Cyber-threats to organisations will continue to grow in their complexity and speed, as malware toolsets are increasingly easily accessible on the Dark Web. Ever-changing and broader training for employees would help staff to stay alert and better navigate these threats as they arise.”
*May include individuals that had their financial data compromised more than once in different and unrelated data breaches
Number of people effected by data breaches of economic and financial data
|
