Privacy and security in the financial sector: What can go wrong?

Financial services companies are used to close regulation and stringent compliance measures. But some finance businesses have suffered data breaches or data protection compliance violations that have caused harm to their customers and resulted in multi-million-dollar penalties.

Here are three examples of companies in the financial services sector whose security and privacy missteps have cost them dearly. These sorts of issues could affect virtually any company – but when people’s money and financial data is involved, the consequences are particularly severe.

1. Insider threats: The Desjardins Group breach

In 2017, Desjardins Group suffered one of the largest data breaches in Canadian financial history, affecting the personal information of nearly 9.7 million individuals.

The breach was caused by a rogue employee who had been siphoning sensitive data for at least 26 months before the breach was detected. The compromised data included names, addresses, birth dates, social insurance numbers, email addresses, and transaction details.

The breach highlighted significant gaps in Desjardins’ security measures, particularly around internal access controls and the proper implementation of security policies. The incident was only discovered after law enforcement notified Desjardins, prompting an internal investigation.

Desjardins ended up settling for around CAD 201 million (around £113 million), which included compensation for those affected and identity theft-related damages.

2. Failure to patch: The Equifax breach

Another financial services company was breached in 2017, with the incident affecting around 147 million people.

Financial services provider Equifax failed to patch a known vulnerability in the Apache Struts framework, a program for building web applications. This vulnerability allowed hackers to access customers’ names, Social Security numbers, birthdates, addresses, and driver’s license numbers.

Equifax faced an investigation by the US Federal Trade Commission (FTC) and agreed to settle for up to $700 million.

This settlement included compensation for affected individuals, credit monitoring services, and funds for identity restoration. The breach also led to widespread criticism of Equifax’s security practices and delayed public disclosure of the incident.

3. Data protection violations: CaixaBank

CaixaBank, a major Spanish financial institution, has been fined multiple times by Spain’s data protection authority (the “AEPD”) for various violations of the General Data Protection Regulation (GDPR). 

In January 2021, CaixaBank was fined €6 million after and investigation revealed that the bank did not tell customers enough about how and why it would use their personal data, among other issues. CaixaBank’s privacy information was inconsistent across different documents, leading to confusion among customers.

In a separate penalty from October 2021, CaixaBank was fined €3 million for using customer information in marketing campaigns without proper consent. In particular, some people received marketing even though they had no ongoing relationship with the bank.

More recently, in October 2023, CaixaBank was fined €5 million for inadequate data security measures. The fine followed a complaint by an individual, and the AEPD’s decision highlighted the need for stricter compliance with data protection laws within the financial sector​.

Putting privacy and security first

Data protection, privacy, and data security are crucial considerations for practically any company – particularly those operating in sectors like finance, where breaches or violations can involve highly sensitive data and have profound impacts on individuals.

By remaining closely attentive to risks, treating customers’ data with respect, and integrating security and privacy their operations, financial services companies can avoid the sorts of issues we’ve explored above.