Nearly every major U.S. bank has been caught in the crossfire of third-party data breaches over the past year. According to a new analysis from SecurityScorecard, 97% of the top 100 U.S. banks experienced at least one third-party breach in the last 12 months — a sobering reminder of how vulnerable banking supply chains have become (Scorecard, 2024).
Somewhere between $5 million and $10 million — that’s the financial punch each data breach landed on most U.S. financial institutions over the past five years. These are not vague estimates (CDW, 2024). Let’s look back at the top 10 breaches in financial and banking insitutions:
- Equifax – the Anatomy of a Perfect Cyber Storm
The Equifax breach in September 2017 remains one of the most defining data security failures in history (Bloomberg, 2017). Attackers infiltrated Equifax’s system through a consumer complaint web portal vulnerability — a low-value entry point that should never have connected to sensitive systems. Once inside, they navigated across poorly segmented servers, extracting the personal information of 147 million people.
Weak data governance, poor patching discipline, and a culture that undervalued cybersecurity combined into a textbook case of how internal blind spots create external disasters. When personal data — especially financial records — flows between environments without strong segmentation, encryption, or monitoring, breaches become inevitable, not exceptional.
- Flagstar Bank – A Breach Repeating History
In June 2022, Flagstar Bank—one of the largest financial institutions in the U.S.—disclosed that nearly 1.5 million customers had their Social Security numbers and other personal information exposed in a major data breach (Banking Dive, 2022).
The breach stemmed from a third-party vulnerability tied to a supply chain software flaw—an increasingly common entry point as financial institutions rely heavily on external vendors for everything from payment processing to customer communications. Attackers exploited this weakness to access sensitive customer data stored within Flagstar’s internal systems. The breach followed a similar incident in 2021, showing that lessons from previous breaches failed to translate into lasting defensive changes.
- LoanDepot – BlackCat’s Mortgage Industry Heist
In one of the most significant financial data breaches of 2024, LoanDepot, a major U.S. mortgage lender, suffered a devastating ransomware attack at the hands of the Alphv/BlackCat group. The breach, which took place between January 3 and January 5, exposed sensitive financial and personal data of 16.9 million customers—including names, addresses, financial account numbers, phone numbers, and birth dates (LoanDepot, 2024).
The attack crippled LoanDepot’s operations for nearly two weeks, disrupting mortgage applications, loan servicing, and critical financial transactions. Customers were locked out of their accounts, payments were delayed, and the company scrambled to restore systems while dealing with growing consumer frustration and legal obligations.
- JPMorgan Chase - Targeted Intent
The JPMorgan Chase breach in October 2015 exposed 83 million accounts – 76 million households + 7 million businesses. Hackers gained full administrative access to internal servers — a level of access suggesting either a highly sophisticated campaign or serious gaps in privilege management.
But the most unsettling part wasn’t the breach itself — it was the motive. Attackers didn’t steal money (CNN, 2015). They only took customer information, fueling speculation that they were building intelligence profiles on specific individuals rather than aiming for financial gain. This type of breach signals the rise of targeted data harvesting for long-term exploitation — from identity theft to blackmail or geopolitical intelligence gathering. Personal data is now currency for attackers building future leverage.
- First American Financial - No Hack Required
In May 2019, 885 million sensitive records tied to real estate transactions were exposed at First American Financial Corp. The twist? No hackers were involved (Forbes, 2019). This was an internal design failure — exposed documents accessible through poorly secured web links (a classic IDOR flaw — insecure direct object reference).
The breach revealed names, phone numbers, and addresses, exposing customers to future phishing, social engineering, and fraud. It also raised a bigger structural question: how much of today’s data exposure stems not from cybercriminal ingenuity but careless system design and weak internal controls?
- Capital One – When Cloud Misconfiguration Opens the Vault
In 2019, a former AWS engineer used their insider knowledge to exploit a misconfigured firewall, slipping into Capital One’s cloud storage unnoticed. With stolen credentials in hand, they walked out with the personal and financial data of 106 million people across the U.S. and Canada (CNN, 2019).
What made this breach so damning wasn’t just the scale, but how avoidable it was. A single misstep in cloud configuration, combined with weak access controls, gave an outsider privileged access to highly sensitive data. Capital One paid for it—$80 million in fines and $190 million in settlements—but the bigger price was trust.
- Experian South Africa – Social Engineering Masterclass
Not every breach starts with code. In 2020, a fraudster posing as a legitimate business client tricked an Experian employee into handing over data on 24 million consumers and nearly 800,000 businesses in South Africa (InfoSecurity, 2020). This was a prime example of social engineering done right—the attacker knew exactly how Experian validated clients and played the process perfectly. Names, identity numbers, contact details, and employment data were all handed over voluntarily.
Experian claimed it recovered the data, but that’s wishful thinking… Once exposed, data never fully disappears; it just moves deeper into the underground economy. This case is a sharp reminder that no technology can fully protect a company if its people can be manipulated. Real security starts with a culture that questions everything, even routine requests.
- Heartland Payment Systems– The SQL Injection That Shook Payments
Back in 2008, hackers found an SQL injection flaw in a web form on Heartland’s site. That single vulnerability gave them enough access to install malware directly into the payment processing system (Proofpoint, 2015). 130 million credit card numbers, along with names, expiration dates, and security codes, were intercepted in transit.
The breach exposed how outdated application security can unravel even the most critical systems. It also proved that encryption only works if applied at every step—from when data is collected to when it leaves the network. After the breach, Heartland adopted end-to-end encryption (E2EE), setting a precedent for handling payment data. But the real lesson? Every public-facing input is a potential point of compromise, and ignoring basic web security is like handing hackers a keyring.
- Korea Credit Bureau – When the Threat is Already Inside
Over a full year, a Korea Credit Bureau consultant quietly copied sensitive data onto a personal external drive—eventually selling it to third-party marketers. In total, 20 million individuals—nearly 40% of South Korea’s population—had their credit card numbers, social security data, and personal details exposed (CNN, 2014).
This was the perfect insider threat scenario: someone with legitimate access, abusing their position while security controls were either weak or non-existent. Files weren’t encrypted. Activity monitoring was insufficient. And once the breach was discovered, there was no way to fully recover the stolen data. The fallout led to a regulatory crackdown in South Korea, with stricter data protection laws and mandatory real-time activity tracking for anyone with access to sensitive data.
- Block - Insider Breach That Slipped Through Square’s Defenses
In April 2022, a data breach at Square (now Block) exposed the personal and financial details of around 8.2 million customers — all because an employee, with existing access, downloaded sensitive reports without approval (Security Magazine, 2022).
The leaked data included full names, brokerage account numbers, portfolio values, holdings, and a snapshot of one day’s trading activity. Passwords, social security numbers, and payment details were not affected. This case highlights a critical blind spot in insider threat detection: when harmful actions fall within an employee’s normal access rights, traditional monitoring tools often miss them. Preventing this requires tailored, context-aware controls that focus on intent, not just access.
Bottom Line
All these 10 incidents center around one critical lesson: cybersecurity can’t just be a technical function. It has to be embedded into how financial institutions operate, partner, and think. That means moving beyond compliance checklists into adaptive, intelligence-driven defense—with real-time threat visibility, rigorous vendor oversight, zero-trust principles, and a workforce trained to question everything.