10 biggest financial data breaches of 2022

Criminals have many means of stealing money and information from consumers, from scamming consumers directly to stealing their information from companies that hold it for them. For many cybercriminals, the quickest way to get a massive amount of valuable data is by targeting financial institutions.

Cybersecurity firm Flashpoint said in recently released data that the financial sector experienced the second highest number of data breaches in 2022, globally, behind government. U.S. banks were hit hardest, followed by institutions in Argentina, Brazil, and China.

This year, the number of consumer records leaked in breaches globally exceeded 254 million, according to Flashpoint. In the U.S. alone, data from the Maine attorney general indicates that around 9.4 million consumers across the country were affected by data breaches against financial companies.

At least 79 U.S. financial services companies reported data breaches affecting 1,000 or more consumers in 2022, and the largest breaches affect millions of consumers each. Here are some of the biggest data breaches affecting financial services companies this year.

hacker in the dark breaks the access to steal information

Receivables Performance Management: 3.7 million customers

Receivables Performance Management, a debt collection company based in Lynnwood, Washington that provides accounts receivable management services, suffered a data breach in 2021 that, according to a filing with the Maine attorney general, the company did not detect until 18 months later. The company now faces a class action lawsuit over the matter.

The company told the Maine attorney general that hackers obtained Social Security numbers for 3,766,573 consumers and that the breach occurred in April 2021. The company said it first notified consumers about the breach on October 2, 2022.

In its notification to consumers that their data had been breached, the company said it had "obtained confirmation to the best of its ability that the information is no longer in the possession of the third parties associated with this incident." However, the plaintiffs in the class action lawsuit contend that consumer identities obtained through the breach have likely ended up on black markets, exposing them to significant risk of identity theft.
Elephant Staff

Elephant Insurance Services: 2.7 million consumers

Elephant Insurance Services in Henrico, Virginia reported in May that it was hit with a breach affecting more than 2.7 million consumers. In a statement on the matter, Elephant said it took "prompt measures to secure its systems, investigate this incident, and determine what information may be affected." The firm also said it "reported the incident to federal law enforcement and is notifying appropriate state regulatory agencies."

The breach exposed names and driver's license numbers, or other identity card numbers, according to Elephant Insurance. The company said it notified consumers about the breach one month after discovering it.
penetrated security lock with a hole on computer circuit board

Lakeview Loan Servicing: 2.5 million customers

Lakeview Loan Servicing, the fourth-largest mortgage loan servicer in the U.S., said in March that a breach it suffered last year affected more than 2.5 million consumers, exposing account numbers including or credit and debit card numbers.

"Like many other organizations, Lakeview experienced a security incident in 2021," the company said of the latest breach. "Steps were taken to immediately contain the incident, law enforcement was notified, and a thorough investigation was conducted by a forensic investigation firm. Lakeview's operations were not disrupted."
Flagstar.jpeg

Flagstar Bank: 1.5 million customers

As measured by the number of people affected, the largest data breach by a bank so far this year impacted Flagstar Bank, which now faces multiple class actions over the incident. The bank told the Maine attorney general the breach affected more than 1.5 million consumers, who had their names and Social Security numbers exposed in the incident.

"For those impacted, we have no evidence that any of their information has been misused," the bank wrote in a statement about the breach. "Nevertheless, out of an abundance of caution we are offering complimentary credit monitoring services."
BECU.jpeg

Boeing Employees’ Credit Union: 340,000 consumers

Two other financial institutions suffered data breaches affecting more than 100,000 people this year, including Boeing Employees' Credit Union. The breach in mid-June affected 344,752 consumers and their Social Security numbers.

"On June 6, BECU was informed that our third-party printing vendor had experienced a network security incident that impacted their printing and notification services for our members and involved unauthorized access to certain data of some members," the credit union told affected consumers. "At that time, BECU took immediate measures to protect member information by suspending services with the vendor."
First Financial.jpeg

First Financial Credit Union: 220,000 consumers

A breach at First Financial Credit Union in Southern California starting in mid-January affected 229,748 consumers and their driver's license numbers.

"As soon as we became aware of the incident, we immediately launched an investigation into the nature and scope of the incident," Ron Moorehead, president and CEO of First Financial, told the Albuquerque Journal. "A third party information technology forensic firm has been engaged to assist us and help ensure the security of our systems. The investigation remains ongoing, and will take some time to complete.
Close-up of professional computer hacker writing data codes typing on laptop at night in the office.

Cash Express: 100,000 consumers

Nonbank lending company Cash Express reported to the Montana attorney general in September that a data breach exposed sensitive consumer information from more than 100,000 individuals. That information included names, birthdates, Social Security numbers, financial information and contact information, according to the company's filings with state attorney generals.

In its letter to the affected individuals, Cash Express said it hired a third-party data security firm to conduct an investigation after detecting unusual activity on its company network on Feb. 6. The investigation found an unauthorized party had accessed a portion of the company's computer system between Jan. 29 and Feb. 6. According to the company's filing with the Maine attorney general, 106,521 people were affected by the breach.
Lending Tree's new South End headquarters building in Charlotte,

LendingTree: 70,000 customers

Over the summer, LendingTree acknowledged it suffered two data breaches in the past year, but it denied allegations that it was responsible for a larger breach and that it had "downplayed" the events. After allegations in a class action lawsuit that the company had suffered a breach affecting 200,000 consumers, a company spokeswoman said the number of people affected was actually less than 70,000.
Revolut.jpeg

Revolut: 50,000 customers globally

Hackers accessed the personal data of 50,000 Revolut customers in September, and a phishing campaign imitating the company soon followed, though the company did not confirm whether the events were linked.

As first reported by Bleeping Computer, Lithuania's State Data Protection Inspector said in a Sept. 16 disclosure about the breach that the exposed data may have included names, addresses, emails, postal addresses and telephone numbers.

Revolut told the Lithuanian inspector that hackers did not get payment card numbers. The company told customers they could use their accounts normally, and a company spokeswoman said "no funds have been accessed or stolen" and that "customers' money is safe — as it always has been."
Electricity Infrastructure as Eskom Holdings SOC Ltd. Bailout Prospects Fade

TransUnion South Africa: 5 million consumers globally

In one of the largest data leaks globally this year, TransUnion South Africa said in March that it suffered a breach that it later said exposed the data of 5 million consumers — allegedly, according to the threat actor, because the company guarded one of its systems with the password "password".

The company released the findings that 5 million consumers were affected after initial claims by the threat actor involved, N4ughtySecTU, that the hackers had stolen 54 million records. TransUnion South Africa said at the time it believed the 54 million records to actually be from a 2017 incident that was "unrelated to TransUnion," but the company did not specify what incident or whether 54 million records were leaked in the recent incident.
MORE FROM AMERICAN BANKER