So far in 2022, at least 79 financial services companies have reported data breaches affecting 1,000 or more consumers, and the total number of consumers affected by these breaches could reach 9.4 million.
These numbers come from Maine Attorney General Aaron Frey in accordance with the state’s data breach disclosure laws. The numbers track the total number of people affected by each breach — not just Maine residents.
According to the number of people affected, the biggest data breach by a bank so far this year has had an impact Flagstar Bankwho now faces several class actions about the incident. The bank told the Maine attorney general that the breach affected more than 1.5 million consumers, whose names and Social Security numbers were exposed in the incident.
“For those affected, we have no evidence that any of their information was misused,” the bank wrote in a statement. “Nevertheless, as a precaution, we offer free credit monitoring services.”
The Maine data provides a broad but incomplete picture of data breaches affecting consumers this year. Maine only tracks breaches that affect at least one resident of the state, so the total number of financial services companies and consumers affected by breaches nationwide is likely larger.
Only two financial services companies have reported larger breaches this year. Elephant Insurance Services in Virginia in May reported a breach affecting more than 2.7 million consumers. Lakeview Loan Servicing, the fourth-largest mortgage servicer in the United States, said in March that a breach that hit him last year reached more than 2.5 million consumers. Each faces at least one trial over the course of incidents.
“Like many other organizations, Lakeview experienced a security incident in 2021,” the company said in a statement. “Action was taken to immediately contain the incident, law enforcement was notified and a full investigation was conducted by a forensic investigation company. Lakeview operations were not disrupted. “
In his own statement, Elephant said it took “prompt action to secure its systems, investigate this incident and determine what information may be affected.” The company also said it “reported the incident to federal law enforcement and notified the appropriate state regulatory agencies.”
So far this year, at least two other financial institutions have suffered data breaches affecting more than 100,000 people. A breach in the Boeing Employees’ Credit Union beginning in mid-June affected 344,752 consumers and their Social Security numbers.
“On June 6, BECU was notified that our third-party print provider had suffered a network security incident that impacted its print and notification services for our members and involved unauthorized access to certain data from some members,” said the credit union said. “At this time, BECU took immediate action to protect member information by suspending services with the provider.”
A First Financial Credit Union breach in Southern California beginning in mid-January affected 229,748 consumers and their driver’s license numbers.
“As soon as we became aware of the incident, we immediately launched an investigation into the nature and extent of the incident,” said Ron Moorehead, President and CEO of First Financial, told the Albuquerque Journal. “A third-party computer forensics company has been engaged to assist us and help ensure the security of our systems. The investigation is still ongoing and will take some time.
These material breaches do not reflect the typical extent of breaches affecting customers of financial institutions. Most breaches affecting financial institutions affect fewer than 5,000 people each, and many of them affect credit unions and regional banks, according to Maine data.
Additionally, while some of the breaches are the result of insider wrongdoing, the larger ones tend to be the result of a malicious actor extracting data from a company.
Many states publish information about data breaches affecting their residents, but Maine’s information is among the most detailed. For each breach, Maine reports the number of affected consumers, the type of data compromised (typically social security numbers, driver’s license information, or passport photos), dates related to the incident, and more.
Many states also have a higher threshold for reporting an incident. For example, the Oregon Attorney General only reports data breaches affecting more than 250 Oregonians and does not report the total number of consumers affected by each breach.