The biggest data breaches of 2024 in financial services

December 16, 2024 2:57 PM

The number of records leaked in data breaches this year was greater than the number of people living in the U.S. In fact, one breach — from data broker National Public Data — was singly responsible for 2.7 billion of these leaked records.

The sheer volume of data breached serves as a reminder that many — perhaps most — Americans have had their Social Security number, address, driver's license number or some other piece of identifying information posted in a data breach dump online. This presents difficulty for banks and other companies seeking to verify the identity of customers.

However, these 2024 data breaches also disrupted the financial lives of many Americans. Besides dealing with identity theft, some consumers also temporarily lost access to their financial accounts this year because of ransomware. Banks and insurance companies also suffered reputational harm and customer attrition because of these cyberattacks.

What follows is a list of the largest data breaches and cyberattacks that affected the financial services industry this year. The list pertains to data breaches that have been publicly disclosed as of this writing. It does not include breaches that occurred in 2023 but were disclosed in 2024, of which there were two: one that affected 500,000 Texas Dow Employees Credit Union members and 57,000 Bank of America accountholders.

LoanDepot breach affects 16.9 million people

Adobe Stock

The largest data breach from a financial services company in 2024 affected LoanDepot, a top-ranked mortgage lender based in Irvine, California. Threat actor Alphv, also known as Blackcat, took responsibility for the attack.

The attack, which the lender says took place from Jan. 3 to Jan. 5, exposed names, addresses, financial account numbers, phone numbers and dates of birth of 16.9 million customers, according to a disclosure to the Maine Attorney General and letter to victims. The attack caused disruptions at the company for nearly two weeks.

Evolve Bank & Trust breach affects 7.6 million people

The largest data breach from a bank in 2024 affected Evolve Bank & Trust, based in Memphis, Tennessee. Evolve disclosed to the Maine Attorney General that the breach affected 7.6 million people. The bank said in a statement on its website that the breach included names, Social Security numbers, Evolve account numbers, dates of birth and contact information. The breach occurred in May and was publicly disclosed in late June.

The bank partners with many fintechs that were also harmed by the breach, including Affirm, Wise and Bilt Rewards.

LockBit, the threat actor that perpetrated the data breach, initially claimed falsely that the data it had stolen came from the Federal Reserve.

Prior to the breach, in February, law enforcement in the U.K., U.S. and Europe proclaimed that they had disrupted LockBit. Graeme Biggar, the director of the U.K. National Crime Agency, or NCA, said at the time that the gang was "the world's most harmful cybercrime group."

Cybercrime experts said soon after the announcement that the disruption was a win, but it would likely only have a temporary impact on LockBit's operations. Indeed, by the summer, the group had continued its operations.

Breach at debt collector FBCS affects 4.2 million people

Business Debt Collection or Recovery. Unpaid Invoice

A February data breach at debt collector Financial Business and Consumer Solutions affected 4.2 million customers of various lenders, health care providers, telcos and other companies.

Truist was one of those lenders affected, though it is unclear exactly how many of its customers were impacted. The bank said in a letter to victims that the breached data varied per person but may include the consumer's name, address, date of birth, Social Security number and account number.

EquiLend breach impacts securities lending for two weeks

Wall Street Stock-Lending Platform Crashes in Ransomware Attack

EquiLend disclosed in January that it had been targeted by a ransomware attack that took large portions of its platforms, including for lending securities and post-trade services, offline. LockBit claimed responsibility for the attack in a statement to Bloomberg.

EquiLend allows institutional customers to borrow securities, which is part of the process of shorting stocks (i.e., trades that profit when the stock price falls). These services were disrupted for nearly two weeks, according to the company.

Prudential data breach affects 2.5 million people

Chicago, Illinois, USA - March 28, 2022: Prudential Chicago Office building in Chicago. Prudential Financial, Inc. is an American insurance company.

Prudential Financial disclosed in February that it had suffered a data breach, which it later said had impacted 2.5 million people.

The breached data included names, addresses and driver's license numbers and other identification card numbers, according to the company's disclosure to the Maine attorney general.

Threat actor Alphv, also known as BlackCat, took responsibility for the breach.

Patelco Credit Union incident disrupts banking for 500,000 members

Patelco Credit Union headquarters in Dublin, California, USA - June 12, 2023. Patelco Credit Union is a member owned, not-for-profit credit union.

In June, Patelco Credit Union in Dublin, California, proactively shut down many of its digital and online banking systems in response to a ransomware attack. The $9.8 billion-asset credit union said at the time it had 500,000 members. Members have brought lawsuits against Patelco in response to the incident.

The credit union later disclosed that, as a result of the ransomware attack, 1 million people had their data breached, according to the Maine Attorney General. Breached data included names, Social Security numbers, driver's license numbers, dates of birth and email addresses, according to the credit union's letter to victims.