Data breach news: Banks prioritise security spending in light of data breaches


Latest news

Almost three-quarters of global financial services deploy new technologies such as the cloud, big data and IoT without having the correct security in place to protect them.

The findings come from Thales' new2017 Thales Data Threat Report, based on a survey carried out by 451 Research. The analysts surveyed more than 1,100 senior senior security executives across the globe, with more than 100 respondents in markets such as the UK, US, Brazil and Germany. They also came from a range of industries including retail, finance and healthcare.

Furthermore, 78% of financial services respondents stated they were spending more money on security. This may be because 28% of firms reported a breach last year, with 49% admitting having been breached at some point in the past. A total43% of global financial respondents also said they felt 'very' or 'extremely' vulnerable to data threats.

Endpoint security was their biggest spending priority, with 64% putting it at the top of their list, followed by analysis and correlation tools at 55%. Network security ranked at 53%, whereas data-at-rest defences scored 52%.

More than a third of the security executives said they plan to implement encryption with bring-your-own-key capabilities this year, while 36% will deploy tokenisation and 38% will deploy cloud access security brokers.

With new data protection rules on the horizon and APPI in Japan, 64% of all global respondents, and 66% of global financial firms, are interested in encryption to satisfy local sovereignty rules.

Despite this, plans to migrate customer data to remain compliant with data sovereignty laws and choosing local service providers were at the bottom of respondents' priority list globally, scoring 36% and 26% respectively.

Just 20% of UK banks were confident of detecting data breaches, it emerged in February this year (see below), while half of financial institutions had inadequate data security frameworks or privacy policies in place too.

26/06/2017: UK government's Cyber Essentials suffers data breach

The UK government's Cyber Essentials scheme, which aims to help organisations protect themselves against data breaches has suffered a breach itself, exposing the email addresses of many of its registered consultancies, the government has revealed.

However, it was only consultancies dealing withIASME, one of six accrediting bodies for the Cyber Essentials scheme that was affected, meaning only a small proportion of the companies working with the scheme have had their details exposed.

The breach was result of a third-party system, provided by Pervade Software, suffering a configuration error after an engineer incorrectly set it up. Criminals apparently managed to access an email log file generated by the assessment system, accessing details includingemail addresses, company names and the IP address of the Certification Body used by the organisation.

"We would like to make you aware that,due to a configuration error in the Pervade Software platform we use for CyberEssentials assessments, the email address you used to apply for an assessment andyour company name may have beenreleased to a third party," the notice stated.

"We would like to make it clear that the security ofthe assessment platform has not been compromised. Your account,the answers youprovided in the assessment and the report you received are secure. Noinformation other than youremail address and your company name was accessibleto the third party."

Pervade said it immediately responded to the breach and has now fixed the issue, hopefully not leaving any long-term damage.

02/02/2017: Only 20% of UK banks confident of detecting data breaches

Only one bank in five is highly confident in its ability to detect a data breach, with 50% of financial institutions having inadequate data security frameworks or privacy policies in place, research suggests.

Consultancy Capgemini surveyed 7,600 consumers and 183 senior security and privacy professionals from global banking and insurance firms in eight countries, including the UK, for its Currency of Trust report.

It found that the UK's financial services organisations lag slightly behind the global average when it comes to confidence in their ability to detect a data breach - 19% vs 21% - although the country's slightly ahead of the curve when it comes to having fully-automated cyber threat intelligence - 45% vs 40%.

When it comes to preparedness for GDPR - the upcoming EU-wide law that governs what penalties organisations will face for a data breach - the UK is also happily ahead of the game. Worldwide, only 32% of financial institutions consider themselves ready for the legislation, but in the UK that rises to 41%.

The UK also fares better than average when it comes to preventative measures, with only 31% taking three months to a year to patch and manage vulnerabilities, compared to a global average of 49%.

However, in some other areas UK financial institutions aren't quite so virtuous. A total 83% of banks and insurance firms here retain customer data after they leave, compared to 78% globally. And, while more UK organisations update data consent clauses after a privacy policy is changed than the global average, at 26% it's still very low.

Mike Turner, global cybersecurity chief operating officer at Capgemini, said: "Consumers implicitly trust banks with their money and data, but this faith is rooted in a mistaken belief their provider can be 100% secure. While banks are evolving to combat the sophisticated threat cyber criminals pose, public understanding of the threats and challenges remains low.

"The introduction of GDPR legislation next year is a prime opportunity for business transformation for banks and insurers to become the digital fortresses consumers believe them to be."

What is a data breach?

Also known as a data leak or unintentional disclosure, a data breach occurs when confidential information falls into the wrong hands. This could be due to the work of hackers, a malicious internal actor, an oversight or a system failure.

For example, hackers stealing credit card information, an employee passing IP or financial data onto competitors, someone leaving a USB stick on a train, and the accidental attachment of a patient list to an email would all count as a data breach.

Data breach consequences

In the UK, a data breach can currently cost an organisation a fine of up to 500,000 if it is found to have been in contravention of the Data Protection Act 1998.

However, from May 2018, that figure will rise significantly thanks to GDPR, with fines of up to 10 million or 2% of annual turnover (whichever is greater) waiting for the worst offenders. You can find out more about GDPR here.

Famous data breaches

Famous recent data breaches include the 2014 Yahoo hack (revealed in 2016), with the details of up to 500 million customers stolen, the 2015 hacks of TalkTalk and Ashley Madison, which affected 4 million and 37 million customers respectively, and the Sony Pictures Entertainment hack, which led to the exfiltration of around 100 terabytes of data, according to the perpetrators.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.