Inside the Breach: Understanding Patterns & Ploys to Improve Data Breach Prevention

8 minute read

May 2023

Insurance and financial companies, with thousands of corporate and private clients, are lucrative targets for hackers. Each company holds a wealth of data that attackers would love to steal, exploit, or sell to the highest bidder. So it’s no surprise we’re seeing more and more insurance and financial company hacks populating the headlines. 

In this article, we dive into some of the most iconic attacks over the last several years. More importantly, we outline what to look for to improve your data breach prevention strategies, especially those from third parties.

6 Iconic Insurance and Financial Industry Data Breach Examples

Even though countless breaches have penetrated the networks of insurance and financial companies, these are probably the six most notorious– let’s take a deeper look into what happened and the underlying cause.

The Equifax Attack

What happened: In 2017, Equifax found itself in the crosshairs of attackers who levied an assault that impacted 147 million people. The thieves got their digital hands on Equifax customers’ names and birth dates. They also accessed a bounty of sensitive private information, such as Social Security and driver’s license numbers.

The cause: Bad actors gained access to Equifax’s system using a common avenue: the company’s web application software. Equifax’s web applications enable various interactions between the company and its customers, so hackers used the connection points to gain access to sensitive information.

Specifically, the attackers focused on a vulnerability in Equifax’s dispute resolution site. Using this as a point of access, they then leveraged a range of techniques to steal customer data. Equifax agreed to a $425 million settlement to help repair the damage.

The Anthem Breach

What happened: Anthem, a large health insurance provider, was hacked by attackers in April 2014, who got away with the information of around 80 million people. Like the Equifax attack, the perpetrators snatched sensitive data, such as Social Security and healthcare ID numbers. They also nabbed home addresses, emails, and income data.

The cause: The attack started as a phishing assault that targeted one of Anthem’s subsidiaries. They then used the information they gathered in the phishing attack to access Anthem’s servers and steal customer information.

The Capital One Breach

What happened: In 2019, credit card giant Capital One revealed they had been victims of a clever hack. The attackers managed to get away with the personal data of more than 100 million people, including Social Security and credit card numbers.

The cause: The hacker’s method was different than those used in the Equifax and Anthem breaches in that it exploited a vulnerability in the company’s cloud services. The hacker, Paige Thompson, a former engineer for Amazon, built a tool using Amazon Web Services designed to find misconfigured user accounts. She then used these accounts to gain access to and download Capital One’s data.

One element of her methodology involved making her computer appear as a “friendly” digital entity from the perspective of Capital One’s defense system. Under this guise, she levied $250 million in damage on Capital One.

The MetaMask Third-Party Breach

What happened: Hackers took advantage of one of MetaMask’s third parties, a technical customer support provider, to execute an attack on the crypto wallet company between August 2022 and February 2023. MetaMask denied claims that hackers emptied crypto wallets, citing it was not a MetaMask-specific exploit. However, the incident impacted customers who submitted personal data to the customer support vendor. 

The cause: Instead of going after MetaMasks’s systems or employees directly, the attackers targeted the third-party provider that MetaMask used to process customer service issues. 

Once the threat actors gained access to the vendor’s network, the attackers targeted the email addresses of MetaMask users and other info that customers may have entered in a field inside a customer service form. This was a particularly attractive target because customers may have entered payment data or personally identifiable information (PII).

The JP Morgan Chase Hack

What happened: More than 76 million customers had their private information exposed when JP Morgan, one of the largest banks in the US, got hacked in 2014.  The victims’ Social Security numbers, names, and addresses were all revealed, as were their dates of birth.

The cause: These hackers went after some of the lowest-hanging fruit in the cyberattack orchard: a system that hadn’t installed a security update. JP Morgan had already addressed the vulnerability, but their network was penetrated because one or more users hadn’t applied it.

The Premera Blue Cross Breach

What happened: Premera Blue Cross also got hit with an attack that began with phishing. The hackers managed to steal 10.4 million personal records during their campaign, which lasted nine months.

The cause: Threat actors used a phishing email that tricked someone into downloading malware. Once the malware was in Premera’s system, it gave the thieves access to Premera member data. As a result, Primera ended up offering victims two years of credit monitoring free of charge. In this way, victims could see if someone who had stolen their financial information had made purchases that damaged the target’s credit report.

The Excellus Breach

What happened: Another member of the BlueCross family, Excellus, had its customers’ data snatched when hackers went after them between 2013 and 2015. The two-year-long attack gave the hackers a score similar to that in the other insurance and financial industry attacks outlined above: Social Security numbers, names, and birth dates. The hackers also nabbed information about insurance claims Excellus customers had made, along with their payment information.

The cause: The attackers first used administrative credentials to access sensitive areas of Excellus’s network. Even though the company routinely encrypts customer data, because the attackers had administrative privileges, they had the decryption keys they needed to access the information.

How did the attackers get the access they needed for this data breach? Security officials found evidence that they used spear phishing, targeting specific employees. Once the hackers pinned their target on the end of their spear, they tricked them into providing the admin credentials they needed to tap into sensitive data for months.

Data Breach Prevention: Understanding Attack Methods and Patterns

Even though the data that hackers target from financial and insurance companies is often the same, their attack methods may differ significantly. Data breach prevention begins with understanding the patterns behind the ploys. With that said, here are some of the most common tactics hackers use in their attacks.

Before Breaching Your Network

Before breaching your network, a hacker may make a list of all the third-party vendors you use— at least to the best of their knowledge. Often, these companies have access to your network through a dedicated VPN or have been granted permission to view or work within certain digital assets using login credentials.

The attacker may then use phishing attacks to trick one or more employees of these vendors into divulging login credentials, then use them to access your system.

During the Attack

Once the attacker phishes their way into grabbing access credentials, they can get past your firewall and get into your network. At this point, they may use a zero-day exploit downloaded from the dark web to infect a server or computer on your network with malware. Because it’s a zero-day exploit, the targeted system hasn’t been patched with a remedy, leaving it exposed.

Stealing Sensitive Data

The attacker’s zero-day tool malware may contain a tool designed to steal specific digital assets. For instance, they may use a memory scraper that targets information stored in a server’s memory. As the memory scraper harvests customer payment data or PII, the hacker collects it to either sell it to someone else or use it for their own benefit.

Attacking Your Customers

The attacker may also try to stay inside your network for an extended period. This way, they can try to infiltrate other areas of your network. Hackers may also use data they steal to attack one of your customers. For example, they could use PII to make a target believe they’re emailing from the target’s bank. This can be effective because, ostensibly, only a financial institution would have access to certain kinds of personal data.

How Do You Know If You’re Being Attacked?

Even though it can be hard to pinpoint exactly when an attack starts, there are indicators of malicious activity that could be headed your way.

  • Look out for news of attacks on your third parties, and don’t ignore rumors of breaches that impact any of your vendors. 2 out of 3 breaches occur through a third party, so this could be a sign that an attacker is really after you, as opposed to merely your vendor. Of course, ideally, you don’t want to hear about a third-party breach from the headlines, as then it might be too late. CyberGRX’s portfolio-wide monitoring provides automatic alerts when dark web activity is detected or changes in attack patterns have occurred so that you can be more proactive in your response.
  • Large amounts of data leaving or attempting to leave your system over a short period. This can be a sign of a data exfiltration attack.
  • Web servers are getting inundated with requests. This could be a symptom of a DDoS attack.
  • Employees complain about strange or suspicious emails. This may signal a phishing attack. In some cases, an attacker may phish several members of your staff at the same time or in sequence, so if one person complains, there may be others being targeted as well.

Getting Proactive About Data Breach Prevention

Cyber attacks on financial and insurance companies are costly, not only in terms of the financial consequences but in the damage to your brand reputation. By understanding the techniques used in the attacks as they relate to your third-party portfolio, you can improve your risk management and detection and response strategies, too.

For example, CyberGRX’s Attack Scenario Analytics, backed by 13 MITRE tactics and 150+ MITRE kill chains, provides context and visibility into how well a third party is prepared to handle common attacks and which control gaps may need attention.  Threat Profiles, based on the tactics and techniques used in over 49 cyber attacks, enable you to see your vulnerabilities from an attacker’s perspective. Armed with this info, you’re better equipped to predict your resilience against common attack methods, before criminals use them.

Improving your data breach prevention also requires the right tools and visibility. To see how CyberGRX can help safeguard your company, reach out for a demo today.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit