10 Biggest Data Breaches in the Financial Sector [2025]

The financial sector has increasingly become the prime target for cyberattacks, attracting attackers with the promise of immediate financial rewards and valuable personal data. In 2023, financial institutions accounted for 27% of all breaches worldwide, surpassing even healthcare as the most breached industry.

Financial losses from these incidents are huge: by 2024, the average cost per breach in the financial sector reached $6.08 million (22% higher than the global cross-industry average). Malicious attacks, particularly phishing and ransomware, remain the dominant methods used by cybercriminals, exploiting vulnerabilities in third-party integrations, legacy systems, and human error.

In this article, we’ll explore ten of the largest global data breaches that have happened in the financial sector, highlighting how these breaches occurred, their critical vulnerabilities, and essential preventive strategies organizations must adopt.

Cyber-attacks frequently target banks, insurers, and payment services since these institutions are at the center of the digital economy. A successful attack can provide both funds and confidential customer data in a single hit, offering criminals a compelling motivation to attempt it. Rapidly changing online services, sophisticated technology, and high public expectations of round-the-clock availability make the financial industry a tough space to defend. Here are a few of the reasons attackers frequently target the financial sector:

Attackers focus on banks and payment companies because they can turn a breach into cash very quickly. First, if they gain access, they can pull money straight from customer accounts or organize ATM “cash-out” runs that deliver hard cash within hours (often only small amounts are withdrawn from a big amount of accounts to not raise any suspicion). Second, the card numbers and personal details that banks hold fetch high prices on underground markets, so every stolen record brings guaranteed income as well. Third, by encrypting critical systems with ransomware, criminals can pressure banks who are eager to restore service and avoid fines into paying multi-million-dollar ransoms.

Financial institutions are prime targets for cyber attacks primarily due to the sheer amount and sensitivity of customer data they hold. In this day of age almost everyone has a bank account to to deposit, withdraw, and transfer funds so banks and related organizations maintain extensive records, including names, addresses, birthdates, social security numbers, detailed financial histories, employment details, and even tax information on most citizens. This wealth of data allows attackers to quickly monetize breaches by immediately taking control of customer accounts, conducting fraudulent transactions, or draining funds. Additionally, stolen information commands high prices on dark web marketplaces, where comprehensive identity packages (known as “fullz”) or individual bank account credentials sell for substantial sums. Compounding this risk, strict regulatory guidelines like Know Your Customer (KYC) and Anti-Money Laundering (AML) laws require financial institutions to store customer data securely for many years, significantly extending the window of vulnerability. Together, these factors create an environment in which each successful breach delivers not just immediate profits but also long-term opportunities for sophisticated identity and financial fraud, making financial institutions particularly attractive and repeatedly targeted by cybercriminals.

Most core banking software operates on platforms that vendors don't support years after, so known security flaws stay open long after newer platforms have patches available. Decades of bolt-on patches like mainframes linked to web portals, custom middleware, and ad hoc scripts can create a tangled web where breaking one weak link can compromise everything from customer balances to payment rails. Since these legacy systems frequently cannot support newer security features such as multifactor logins or constant monitoring agents, security teams are forced into work-arounds that attackers learn to circumvent. Strict change-control policies add to the risk: patches can take weeks, even months, to test before being implemented, giving attackers a considerable window of opportunity to exploit them.

Despite advanced security tools, human behavior remains a critical vulnerability in the financial sector. Financial institutions are large organizations with thousands of employees, contractors, and partners, any of whom can accidentally or maliciously open the door to attackers. Phishing, credential reuse, and social engineering remain top breach vectors. Additionally, insiders with privileged access like IT administrators or disgruntled employees for instance can bypass many standard security controls, making internal threats especially difficult to detect and prevent.

In the following, you will find a global list of the largest data breaches in the financial sector. The data breaches are sorted by the number of impacted accounts in descending order.

In May 2019, First American Financial Corporation, one of the largest providers of title insurance and settlement services in the United States, exposed approximately 885 million sensitive records through a website vulnerability. Due to improper access control, anyone with a valid URL link to a document could view other unrelated documents simply by modifying digits in the URL, without authentication.

The leaked documents included critical financial and personal information, such as Social Security Numbers, bank account details, mortgage records, and tax documents, putting customers at significant risk of fraud and identity theft. The breach was particularly alarming given the highly sensitive nature of real estate transaction records, and it underscored major gaps in web application security practices across the financial sector.

Prevention methods:

• Implement robust access controls and authentication checks for document repositories

• Conduct thorough security testing (e.g., penetration tests) before deploying applications publicly

• Monitor and audit application access patterns to detect abnormal behavior early

The Equifax breach, disclosed publicly in September 2017, remains one of the most consequential cybersecurity incidents in financial history. Attackers exploited a known vulnerability (CVE-2017-5638) in Apache Struts, an open-source web application framework. Despite a security patch released in March 2017, Equifax failed to update its U.S. online dispute portal, leaving systems vulnerable for over two months.

The attackers conducted extensive reconnaissance, sending over 9,000 queries across 48 unrelated databases and successfully extracting sensitive personal information 265 times. Compounding the issue, an expired security certificate disabled critical monitoring tools, delaying breach detection significantly.

The consequences were substantial: Equifax faced lawsuits, regulatory scrutiny, and ultimately paid a $1.38 billion settlement covering consumer compensation and cybersecurity enhancements. The breach prompted legislative changes in the U.S., enabling consumers to freeze credit reports without cost. In February 2020, the U.S. indicted four Chinese military operatives for executing the breach, though China denied involvement.

Prevention methods:

• Promptly apply security patches and updates to software and frameworks.

• Maintain active monitoring tools and regularly audit security certificates.

• Implement comprehensive encryption and robust access controls for sensitive data.

• Conduct ongoing security assessments and adopt proactive threat detection measures.

The Heartland Payment Systems breach, uncovered in January 2009, ranks among the largest card-data breaches ever recorded. Attackers initially gained access via an SQL injection vulnerability on Heartland’s corporate website in late 2007. They subsequently deployed malware onto the company’s payment processing network, capturing sensitive card information, including card numbers, names, expiration dates, and security codes, as transactions occurred.

The malware remained undetected for months, compromising approximately 130 million cards. Suspicious transactions traced by Visa and MasterCard led to the discovery of the breach, and Heartland publicly disclosed the incident, cooperating extensively with law enforcement. The breach cost Heartland between $170–$200 million, including fines, settlements, and loss of business credibility. Albert Gonzalez, the cybercriminal behind the attack, was sentenced to 20 years in prison which was the longest cybercrime sentence at the time.

Prevention methods:

• Regularly conduct vulnerability scans and penetration testing to detect and remediate critical vulnerabilities such as SQL injections.

• Implement end-to-end encryption for sensitive transaction data to ensure data remains protected both at rest and in transit.

• Establish proactive, continuous monitoring and advanced threat detection systems to swiftly identify malware or unauthorized network access.

• Ensure compliance standards complement, not replace, comprehensive cybersecurity practices and protocols.

The Capital One breach, occurring in March 2019 and discovered four months later, was the result of a misconfigured web application firewall in the bank’s Amazon Web Services (AWS) cloud environment. Paige Adele Thompson, a former AWS employee, exploited her insider knowledge to access and download nearly 30 GB of sensitive customer information.

The exposed data included personal identifiers, detailed credit histories, Social Security numbers, and bank account information, affecting over 106 million individuals across the U.S. and Canada. Capital One faced severe regulatory and legal consequences, ultimately paying over $300 million in fines, settlements, and remediation efforts, including an $80 million fine for inadequate risk management of its cloud infrastructure.

The breach significantly damaged Capital One’s reputation, prompting substantial investments in cybersecurity improvements, notably enhanced cloud configuration and robust access controls.

Prevention methods:

• Regularly audit cloud environments and configurations to prevent misconfigurations that could lead to unauthorized access.

• Implement stringent access control measures, especially monitoring activities of personnel with insider knowledge or administrative privileges.

• Maintain continuous security monitoring to quickly detect vulnerabilities and breaches.

• Provide comprehensive cybersecurity training emphasizing cloud security practices for all IT personnel.

Experian, a global credit reporting giant, has endured multiple significant data breaches impacting tens of millions of individuals worldwide.

• 2012–2013 Court Ventures breach: Following Experian’s acquisition of Court Ventures, a hacker posing as a private investigator illicitly accessed and sold sensitive personal data online, affecting millions.

• 2015 T-Mobile breach: Hackers accessed an Experian server holding credit applications from T-Mobile customers, compromising personal details of approximately 15 million individuals. Despite encryption, attackers reportedly circumvented protections, gaining sensitive identity information.

• 2020 South Africa breach: A fraudulent individual tricked Experian into releasing data on approximately 24 million citizens and nearly 800,000 businesses, raising severe concerns about identity theft.

These incidents severely damaged Experian’s credibility, drew extensive regulatory scrutiny, and showed consumer risk for identity theft and financial fraud. In response, Experian enhanced its security measures, cooperated with authorities, and provided credit monitoring services to impacted individuals.

Prevention methods:

• Enhance identity verification protocols and internal checks to prevent social engineering and fraudulent access attempts.

• Apply encryption standards, coupled with regular security audits, to ensure data remains protected even if accessed.

• Conduct thorough cybersecurity due diligence during mergers and acquisitions, maintaining consistent monitoring post-acquisition.

• Regularly update and improve employee cybersecurity awareness training programs.

In 2014, JPMorgan Chase disclosed one of the most significant breaches ever to hit the US financial sector, affecting approximately 76 million households and 7 million small businesses. Attackers gained access through a compromised employee account, exploiting weaknesses in the bank’s network infrastructure. Although no financial information such as account numbers, passwords, or Social Security Numbers was stolen, the attackers did obtain names, addresses, email addresses, and phone numbers.

The breach drew major attention due to the bank’s critical role in the US economy and raised alarms across the financial services industry regarding cybersecurity readiness. It led to heightened regulatory scrutiny and prompted many financial institutions to reevaluate their cybersecurity frameworks, especially concerning employee account protections and network segmentation.

Prevention methods:

• Enforce multi-factor authentication (MFA) for all internal and external accounts

• Implement robust network segmentation to limit lateral movement in case of compromise

• Regularly test and update security protocols for employee access management

In December 2021, Block, Inc. (formerly Square) experienced a data breach impacting approximately 8.2 million customers of its Cash App Investing product. The breach involved a former employee who retained unauthorized access after termination, highlighting significant weaknesses in Block’s offboarding and access management processes.

The former employee downloaded reports containing sensitive brokerage-related data, such as names, account numbers, and for some customers, detailed portfolio and trading activity. Sensitive financial identifiers like Social Security numbers and payment information were not compromised.

Block disclosed the breach publicly four months later, in April 2022, triggering criticism and class action lawsuits over delayed notification and inadequate safeguards. The incident led Block to strengthen its internal administrative controls, improve data loss prevention measures, and cooperate closely with law enforcement and regulators.

Prevention methods:

• Immediately revoke system access and credentials for departing employees to minimize insider threats.

• Implement robust access control frameworks enforcing the principle of least privilege.

• Regularly conduct audits and apply strict data loss prevention (DLP) policies to quickly detect unauthorized data access or exfiltration.

• Ensure prompt disclosure and transparency in breach notification processes to maintain customer trust and regulatory compliance.

Desjardins Group, one of Canada’s largest financial cooperatives, suffered a massive insider caused data breach that exposed the personal and financial details of nearly 9.7 million individuals. The breach was discovered after an internal investigation revealed that a now-former employee had been collecting and leaking data over a period of at least 26 months. The information was being transferred outside the organization and was not detected by Desjardins’ monitoring systems until the federal Privacy Commissioner got involved.

The nature of this breach, rooted in abuse of legitimate internal access, highlighted systemic weaknesses in Desjardins’ internal controls, particularly around user activity monitoring, access rights, and data exfiltration alerts. It remains one of the most significant examples of an insider threat in Canadian corporate history, especially due to the duration of the breach and the sensitivity of the data compromised.

Prevention methods:

• Enforce strict access controls and least privilege policies

• Monitor and audit employee data access regularly

• Use behavioral analytics to detect unusual activity

Westpac, a major Australian bank, faced multiple data-related incidents between 2019 and 2024, notably involving its PayID platform.

• In early 2019, a third-party breach involving LandMark White, a property valuation firm working with Westpac, exposed property valuation data and customer contact information. Westpac promptly suspended the vendor and notified impacted individuals.

• In May 2019, attackers used enumeration techniques to extract approximately 98,000 customer names and associated mobile numbers via Westpac’s PayID service. Although no banking credentials or account numbers were compromised, the exposed data posed risks of mass-scale fraud and identity theft.

• In October 2024, Westpac experienced significant online and mobile banking disruptions lasting several days, initially raising concerns about potential cyberattacks. Though the outages appeared consistent with denial-of-service (DoS) attacks, Westpac confirmed that no customer data was compromised.

These incidents collectively underscored the importance of robust data security, third-party risk management, and proactive incident response strategies.

Prevention methods:

• Strengthen defenses against enumeration attacks through enhanced rate-limiting, anomaly detection, and multi-layer authentication measures.

• Implement comprehensive third-party risk management protocols, including continuous monitoring and regular cybersecurity assessments of vendors.

• Maintain robust cyber resilience frameworks capable of rapidly responding to and mitigating denial-of-service attacks to ensure service continuity.

• Increase customer transparency and communication regarding cybersecurity risks and incident responses.

Flagstar Bank, a prominent U.S. financial institution, suffered several significant breaches between 2021 and 2023, affecting millions of customers:

• December 2021 breach: Attackers gained direct access to Flagstar’s network, compromising the personal data, including names and Social Security numbers of approximately 1.5 million customers. Regulatory authorities fined Flagstar $3.5 million for insufficient disclosure and misleading communication regarding the breach.

• May 2023 MOVEit Transfer breach: Third-party vendor Fiserv, servicing Flagstar, experienced a breach via the MOVEit Transfer vulnerability, affecting approximately 837,390 Flagstar customers. The breach exposed extensive personal details, including addresses, phone numbers, and potentially Social Security numbers and tax records.

• Early 2021 Accellion breach: Flagstar was among several institutions impacted by vulnerabilities in Accellion’s legacy File Transfer Appliance, compromising nearly 1.5 million customers’ sensitive data such as Social Security numbers and tax documents.

These incidents led to regulatory penalties, substantial remediation efforts, and commitments from Flagstar to significantly enhance cybersecurity measures.

Prevention methods:

• Strengthen internal cybersecurity practices, emphasizing rapid detection, remediation, and clear disclosure procedures.

• Conduct regular third-party cybersecurity assessments and enforce stringent vendor management protocols.

• Replace legacy systems promptly and apply critical security patches as soon as they become available.

• Provide ongoing cybersecurity training to personnel and implement comprehensive data-loss prevention (DLP) and threat-monitoring solutions.

Analyzing these significant financial-sector data breaches reveals several recurring vulnerabilities and cybersecurity weaknesses. Financial institutions must recognize and address these common patterns proactively to better protect sensitive information and customer trust:

Many major breaches, such as Equifax and Flagstar Bank, occurred due to failures in promptly applying available software patches. Equifax neglected to patch a well-documented Apache Struts vulnerability for months, resulting in a catastrophic breach affecting nearly 148 million individuals. Similarly, Flagstar Bank’s breaches through the MOVEit Transfer and Accellion FTA vulnerabilities illustrate the costly consequences of delayed patching. Financial organizations must adopt rigorous patch management procedures, including continuous vulnerability scanning, rapid software updates, and thorough pre-deployment testing to close security gaps before attackers exploit them.

Insufficient internal access controls have repeatedly allowed insider threats to cause significant harm, as seen in the Desjardins Group and Block (Cash App Investing) breaches. At Desjardins, inadequate oversight enabled an employee to exfiltrate customer data systematically over two years. Similarly, Block failed to revoke a former employee’s access promptly, resulting in unauthorized data extraction affecting millions of users. These breaches emphasize the necessity of enforcing strict access management, promptly revoking credentials upon employee departure, closely monitoring internal data access, and regularly training staff to recognize and mitigate insider risks.

Delayed detection significantly compounded damage in breaches at Heartland Payment Systems, Desjardins Group, and Equifax. Heartland’s attackers remained undetected for months, intercepting card data without interruption. Desjardins experienced a data exfiltration spanning two years before detection. Equifax’s incident highlighted an oversight where expired certificates disabled monitoring systems for 19 months. To mitigate such risks, financial institutions must implement robust, real-time monitoring, continuously updated security certificates, and advanced anomaly detection tools to swiftly recognize and respond to threats.

Poor incident response and delayed disclosure severely amplified consequences for breaches involving Block, Equifax, and Flagstar Bank. Block faced criticism for a four-month disclosure delay, while Equifax’s slow response fueled regulatory scrutiny and massive settlements. Flagstar Bank’s inadequate disclosures led to substantial regulatory penalties. Effective incident management requires clearly defined and practiced response protocols, transparent and timely communication with regulators and customers, and decisive internal coordination to limit reputational harm and regulatory impacts.

The analysis of the largest data breaches within the global financial sector reveals clear patterns: most breaches were not driven by complex hacking techniques, but rather by fundamental cybersecurity oversights such as delayed patching, inadequate internal controls, insufficient monitoring, and ineffective incident responses. These repeated vulnerabilities highlight a critical lesson: financial institutions must move beyond basic compliance and proactively embed cybersecurity into their operational culture. Prioritizing patch management, enhancing insider threat prevention, implementing real-time monitoring, and preparing clear incident response plans are not just best practices. They are essential to maintaining customer trust and ensuring the long-term resilience of financial organizations.