Data breaches targeting financial services: 2016 so far

Simon Tame | 26 May 2016

It’s been a busy year for data breaches relating to financial services organizations – we’ve identified claims of breaches for 10 companies in this sector. In all instances, data compromised from the affected companies was published and made freely available online. The contents of the data from these breaches all differed significantly, so what can we learn from this at a broader level?

Starting small, in February, 100 email addresses – although no usernames or passwords – from the Central Bank of Nigeria were released as part of OpAfrica. In April, the Panama-based law firm Mossack Fonseca was reported to have suffered a huge data breach. The breach resulted in the reported theft of 11.5 million files amounting to 2.6TB information dating from the 1970s to early 2016.

FS Data Breaches 2016  

A group called the “Bozkurt Hackers”, however, released the majority of the data breaches, which began with the claim of hack against Qatar National Bank on 25th April. On 6th April, a Twitter account associated with this group threat actor posted a URL to approximately 10GB data alleged to have been compromised from Invest Bank in Sharjah, United Arab Emirates. The data included in the 10GB file featured some overlap with the data that had been released previously by a threat actor who had called themselves "Hacker Buba" in December 2015. Over the next few weeks, Bozkurt Hackers leaked data claiming to pertain to six more banks, including five banks in Nepal and Bangladesh and the Commercial Bank of Ceylon. 

While the motivation of all the reported breaches was not clear, the reporting was demonstrative of the fact that not all breaches occur for financial gain. This was demonstrated by the breach of Mossack Fonseca and the Central Bank of Nigeria. Despite this, there was some evidence to suggest that the compromised data in the case of Invest Bank and the Qatar National Bank had been used for financial or economic reasons. With exception to the leak of data from Mossack Fonseca, the establishment of credibility by the threat actor leaking the data in all the other instances was assessed to have been a partial motivator of their activity.

The reported data breaches show some similarities. In many of the data breaches, including that of the Central Bank of Nigeria, the Qatar National Bank and the Commercial Bank of Ceylon, there was a commonality in the use of automated SQL injection tools such as sqlmap and the reported Havij 1.18 Pro tool. SQL Injection attacks are assessed to remain a commonly used technique by threat actors, likely due to the low capability required to use automated tools capable of scanning for and executing SQL Injection attacks and the fact that they are publicly available.

Looking forward, there is a realistic possibility that we will see further claims of data breaches against financial services organizations – and not necessarily from the motivation of financial gain. Organizations should take note of the common use of SQL Injection in many of these attacks. The open web application security project (OWASP) provides some information and best practices in response to such threats.