Federal officials warned companies Monday that hackers have stolen more than 500 million financial records over the past 12 months, essentially breaking into banks without ever entering a building.
"We're in a day when a person can commit about 15,000 bank robberies sitting in their basement," said Robert Anderson, executive assistant director of the FBI's Criminal Cyber Response and Services Branch.
The U.S. financial sector is one of the most targeted in the world, FBI and Secret Service officials told business leaders at a cybersecurity event organized by the Financial Services Roundtable. The event came in the wake of mass hacking attacks against Target, Home Depot, JPMorgan Chase and other financial institutions.
"You're going to be hacked," Joseph Demarest, assistant director of the FBI's cyberdivision, told the business leaders. "Have a plan."
Nearly 439 million records were stolen in the past six months, said Supervisory Special Agent Jason Truppi of the FBI. Nearly 519 million records were stolen in the past 12 months, he said.
About 35% of the thefts were from website breaches, 22% were from cyberespionage, 14% occurred at the point of sale when someone bought something at a retail store, and 9% came when someone swiped a credit or debit card, the FBI said.
About 110 million Americans — equivalent to about 50% of U.S. adults — have had their personal data exposed in some form in the past year, said Tim Pawlenty, president of the Financial Services Roundtable and the former governor of Minnesota.
About 80% of hacking victims in the business community didn't even realize they'd been hacked until they were told by government investigators, vendors or customers, according to a recent study by Verizon cited by Pawlenty.
Businesses need to reach out to the FBI and Secret Service for tips on how to protect their data before something happens, agents said. If a business is hacked, company officials need to contact government agents rather than trying to keep the attack quiet and deal with it internally, the FBI said. "No one is going to solve this problem on their own," said Supervisory Special Agent Thomas Grasso of the FBI. "This is something we all need to work together on."
FBI and Secret Service officials say they have taken down international hackers with the help of U.S. companies and international law enforcement allies overseas. Agents said many of the attacks against U.S. companies are done by cybercriminals in other nations.
One Romanian hacker was lured to Boston by Secret Service Special Agent Matt O'Neill, who used the Internet to pose as a woman and invite the cybercriminal on a trip to the USA to enjoy gambling and romance. "He was quite surprised that I was the one meeting him when he arrived," said O'Neill, who worked on the case for months.
The man was arrested and is serving seven years in a U.S. prison. Romanian authorities extradited one of his co-conspirators to the USA, reflecting stronger partnerships between U.S. law enforcement authorities and U.S. allies to catch hackers.
"Five years ago, we would have focused on whether the (hacker) was in the United States where we could get our hands on them," Grasso said. "Today, we're going to team up with our overseas law enforcement partners and go after them."
Congress could help by passing cybersecurity legislation to update surveillance laws and give federal agents greater authority to go after cybercriminals, Pawlenty said. The House has passed a bill that the Senate has not taken up. The Senate has taken a piecemeal approach, approving one bill that would make it easier for the Department of Homeland Security to hire cybersecurity experts.
"Our government and our businesses are in a daily fight against hackers," Pawlenty said. "It's getting increasingly concerning, and it needs to be met with action by Congress."