Here in Canada we had a small online payment processor, Koho Financial, get breached. They are a startup, only 107 employees, but process billions of dollars of payments a year. The breach cost them millions. FinTech has not had a lot of major public data breaches in recent years compared to most other industries. Perhaps they are more diligent in their security practices, or maybe they're just better at keeping it under wraps?
When an incident does occur though, even to small companies, so much money flows through them that the impact can be spectacular.
Koho Financial (Canada, 2020)
Koho Financial Inc. processed more than $1-million in allegedly fraudulent transactions after users exploited a technical glitch. During the transfer of money between accounts, the glitch accidentally deposited the value into the accounts of BOTH the sender and the receiver.
Koho acknowledged that its system had been exploited, which it said was the result of a cyberattack that was discovered on March 5 and that no customer funds or data were affected.
Paay (USA, 2020)
"Paay, a New York-based card payments processor, left about 2.5 million credit card transactions publicly exposed for roughly three weeks […] Paay apparently forgot to put password protections on the server, allowing anyone to access the data inside. Specifically, the housed data contains plaintext credit card numbers, expiration dates, the amount spent and partially masked copies of each credit card number. […] PCI compliance is mandatory and if a data breach occurs and a company does not meet the requirements, it will have to pay penalties and fines ranging between $5,000 and $500,000.”
UAB MisterTango (Lithuania, 2019)
“payment data of 9000 transactions from 12 banks in different countries were available on the internet for everyone. A lack of the correct technical and organisational measures caused the data breach, which lastet from the 9th to the 10th July 2018. According to the GDPR, if a data breach happens, the company needs to notify the Data Protection Agency but the company failed to do so.”
Paypal TIO Networks (Canada, 2017)
“the Vancouver-based TIO Networks said that following the suspension of operations, evidence has been uncovered of a data breach due to "unauthorized access.” In a statement, the company said that unknown attackers were able to gain access to "locations that stored personal information of some of TIO's customers and customers of TIO billers."
BlueSnap (USA, 2016)
"nearly 324,000 users have been affected as a payment gateway BlueSnap or its affiliate RegPack became a victim of data breach. The data has been dumped in a file that has been titled Bluesnap_324K_Payments.txt. None of these companies has admitted that a data hack has occurred. The worst part is that the data dump also includes CVV numbers of some users."
Finastra (UK, 2020)
“infected with ransomware strain. The UK company said it discovered the intrusion into its systems after staff detected what they described as "potentially anomalous activity."
"Out of an abundance of caution, we immediately acted to take a number of our servers offline while we continue to investigate," Tom Kilroy, the company's Chief Operating Officer said in a public statement. […] security researchers were quick to point out Finastra's less than stellar security posture [as they had] had run unpatched servers for a long time, leaving its systems exposed to attacks [and] ran outdated VPN servers last year, and also ran outdated Citrix servers earlier this year.”
Tokopedia (Indonesia, 2020)
“ Tokopedia [whose FinTech products include digital wallets, investments, business capital loans, virtual credit cards] has had its internal database breached by an as-yet unidentified party, resulting in a massive data leak that has affected […] more than 15 million users. The full database – which reportedly includes 91 million records consisting of email addresses, password hashes (an encrypted form of users’ passwords) and names of Tokopedia users – has now been put up for sale on the dark web […] Data related to payment methods such as credit cards, debit cards and e-wallet information, was not affected by the breach”