5 Cyberattacks that Rocked Financial Services in 2024

More than 90% of 2024 breaches were financially motivated. No surprise that the banking and financial services industry and insurance (BFSI) is a top target for cybercriminals. Let’s explore five major attacks that rocked the industry in 2024, exploring methods used by threat actors, the resulting impact on affected organizations, and key security takeaways from these breaches.  

1. Fidelity Investments 

Fidelity Investments, one of the largest asset management companies in the world with $14 trillion in assets under management, was hit by a data breach in August 2024. The company disclosed how adversaries created two customer accounts and obtained images of customer documents from an internal database. Fidelity admitted that the personal information of over 77,000 customers were stolen as a result of this intrusion. Although the exact root cause of the incident is unknown, according to a complaint filed in a U.S. District court, it is alleged that Fidelity did not follow security best practices, such as providing adequate security training to its employees, which indicates that social engineering was perhaps the key initial access vector of this data breach.  

2. Financial Business And Consumer Solutions  

FBCS, a U.S.-based debt collection agency experienced a data breach in February 2024, leading to the exposure of personal information from 4.2 million people. The stolen data included things like social security numbers, date of birth, account information, driver’s license numbers and ID cards. While the exact cause of the attack is unknown, FBCS stated that they simply discovered unauthorized access on certain network systems. Companies like Truist Bank and Comcast have also become victims of data breaches and attacks as a consequence of the FBCS breach. FBCS has warned victims of its data breach to be on the lookout for targeted phishing attacks. 

3. Patelco Credit Union 

Patelco, a U.S.-based not-for-profit credit union was impacted by a ransomware attack in June 2024. Allegedly using a phishing email, hackers infiltrated systems and internal databases, disrupting access and demanding a ransom to restore operations and return the stolen data. Patelco suffered a two-week downtime, stating in their breach filing that attackers may have stolen the data of more than a million of its customers and employees. Stolen information included individual names, birth dates, social security numbers, driver license numbers, email addresses and more.  

4. United Services Automobile Association  

American financial services USAA, providing insurance and banking services to 13.5 million members of the U.S. military, veterans and their families, disclosed a data breach in August 2024 where the sensitive data of 32,000 of its customers was compromised. According to a USAA statement, the incident occurred during a routine update to its document delivery system, which inadvertently exposed sensitive data to unauthorized third parties. Compromised data included names, addresses, email addresses, dates of birth, SSNs, driver license numbers, passport numbers, Vehicle Identification Numbers (VINs), loan numbers, and other property and casualty insurance information. Unfortunately, this wasn’t the first time USAA came under fire for a data breach. The Association recently reached a $3.2 million settlement for a 2021 data breach.  

5. Transak

Cryptocurrency payment processor Transak discovered in October 2024 that a threat actor had compromised 1.14% of its overall user base (amounting to 92,554 customers). According to Transak, an employee was targeted by a “sophisticated phishing attack,” stealing their user credentials. Next, hackers used the compromised credentials to login to a third-party KYC vendor. From there, actors accessed specific user information stored within the vendor’s dashboard including names, dates of birth, ID documents, selfie photos and videos. Following Transak’s disclosure, the Stormous ransomware operation claimed responsibility for exfiltrating 300 GB of data from the crypto platform’s systems.

Key Takeaways for BFSI Organizations: 

The above is only a small subset of the number of breaches and cyberattacks that have impacted the BFSI industry. Several other leading brands such as Ally Bank, Varo Bank, Loan Depot, Radiant Capital, Equilend, and Prudential Financial fell victim to cyber incidents last year.   

1. Security Train Staff: Since a majority of attacks originate from human error (phishing, weak credentials, etc.), it’s critical that organizations train employees on how to identify social engineering ploys and phishing attempts, follow security best practices and exercise vigilance.  

2. Tighten Security Controls: Implement robust security controls such as phishing-resistant MFA, data encryption, network segmentation, zero-trust network access controls, AI-based threat detection and response, to detect and block attackers in their tracks.

3. Frequently Test and Improve Security Posture: Conduct periodic vulnerability assessments and penetration tests, audit your security controls, protocols and procedures, run phishing simulation tests on employees, review the security posture of key supply chain partners, assess software and applications for vulnerabilities and loopholes.  

4. Ensure Compliance with Regulations: The financial services industry is a highly regulated industry where the cost of non-compliance can be dire. Several organizations have faced or are facing costly class-action suits because of non-compliance with cybersecurity regulations and disclosure obligations. 

Cyberattacks targeting financial services organizations serve as a stark reminder of the ever-evolving nature of cyber threats and the critical need for vigilance in securing sensitive financial data. In 2025 and beyond, organizations must adopt a proactive security posture by training staff members, tightening security controls, testing and improving the security posture and ensuring compliance with industry regulations.