So far in 2022, at least 79 financial service companies have reported data breaches affecting 1,000 or more consumers, and the total number of consumers affected by these breaches could be as high as 9.4 million.
Those numbers come from Maine Attorney General Aaron Frey, pursuant to the state's data breach disclosure laws. The figures track the total number of people affected by each breach — not just Maine residents.
As measured by the number of people affected, the largest data breach by a bank so far this year impacted
"For those impacted, we have no evidence that any of their information has been misused," the bank wrote in a statement. "Nevertheless, out of an abundance of caution we are offering complimentary credit monitoring services."
The Maine data provides a wide but incomplete picture of the data breaches affecting consumers this year. Maine only tracks breaches that affect at least one state resident, so the total number of financial services companies and consumers affected by breaches nationwide is certainly larger.
Only two financial service companies have reported larger breaches this year. Elephant Insurance Services in Virginia reported in May that it was hit with a breach affecting more than 2.7 million consumers. Lakeview Loan Servicing, the fourth-largest mortgage loan servicer in the U.S., said in March that
"Like many other organizations, Lakeview experienced a security incident in 2021," the company said in statement. "Steps were taken to immediately contain the incident, law enforcement was notified, and a thorough investigation was conducted by a forensic investigation firm. Lakeview's operations were not disrupted."
In its
So far this year, at least two other financial institutions have suffered data breaches affecting more than 100,000 people. A breach at Boeing Employees' Credit Union starting in mid-June affected 344,752 consumers and their Social Security numbers.
"On June 6, BECU was informed that our third-party printing vendor had experienced a network security incident that impacted their printing and notification services for our members and involved unauthorized access to certain data of some members," the
A breach at First Financial Credit Union in Southern California starting in mid-January affected 229,748 consumers and their driver's license numbers.
"As soon as we became aware of the incident, we immediately launched an investigation into the nature and scope of the incident," Ron Moorehead, president and CEO of First Financial,
These large breaches do not reflect the typical scope of breaches affecting customers of financial institutions. Most breaches affecting financial institutions affect fewer than 5,000 people each, and many of those affect credit unions and regional banks, according to the Maine data.
Additionally, while some of the breaches are the result of insider wrongdoing, the largest tend to be the result of a threat actor extracting data from a company.
Many states publish information about data breaches affecting their residents, but the information Maine publishes is among the most detailed. For each breach, Maine reports the number of consumers affected, the type of data compromised (usually Social Security numbers, driver's license information, or passport photos), dates related to the incident, and more.
Many states also have a higher threshold for when to report an incident. For example, Oregon's attorney general only reports data breaches affecting more than 250 Oregonians and does not report the total number of consumers affected by each breach.