What the Breach Record of 2023–2025 Tells Lenders
The two-year period from 2023 through 2025 produced some of the most significant data security incidents in the history of the financial services and data industry. When examined through a compliance lens rather than a security one, the pattern that emerges is consistent: the breaches that did the most damage to financial institutions were not primarily failures of technology — they were failures of vendor oversight, compliance program design, and the kind of third-party risk management that GLBA and the FTC Safeguards Rule specifically address.
For lending institutions, the lessons are practical. The Gramm-Leach-Bliley Act and the FTC Safeguards Rule create specific obligations that apply when customer information is exposed — whether the breach originates inside the institution or at a vendor that handles that information on the institution's behalf. Understanding what those obligations require, and how recent breaches tested them, is the foundation of a compliance program that holds up under examination.
Institutions using LASER's COMPLY pillar embed these vendor oversight and incident response requirements directly into their Salesforce environment. Schedule a Compliance Discussion to assess your program against the Safeguards Rule's current requirements.
The Regulatory Framework: What GLBA and the FTC Safeguards Rule Require
Before examining specific incidents, it is worth establishing what the regulatory framework requires of lenders when customer data is exposed.
GLBA's Safeguards Rule (16 CFR Part 314) requires covered financial institutions to develop, implement, and maintain a comprehensive written information security program. The 2021 amendments — which took full effect in 2023 — significantly strengthened these requirements:| Requirement | What It Mandates |
| Risk Assessment | Identify and assess risks to customer information in each relevant area of operations |
| Access Controls | Implement controls to limit who can access customer information |
| Encryption | Encrypt customer information in transit and at rest |
| Multi-Factor Authentication | Require MFA for accessing customer information systems |
| Vendor Oversight | Select and retain service providers that maintain appropriate safeguards; include contractual requirements |
| Incident Response Plan | Develop and maintain a written incident response plan |
| Board Reporting | Report to the board of directors on the information security program annually |
| FTC Notification | Notify the FTC within 30 days of discovering a breach affecting 500 or more customers (effective May 2024) |
The critical compliance principle that recent breaches repeatedly tested: GLBA compliance obligations do not transfer to vendors. When a third-party service provider is breached, the financial institution's compliance obligations — including vendor oversight, incident response, and notification — remain with the institution.
The National Public Data Breach: A Vendor Risk Case Study
The National Public Data breach — which exposed the personal information of potentially hundreds of millions of individuals, including Social Security numbers and addresses — became one of the most significant third-party data exposure events in history. For lenders, the incident was a direct test of their third-party vendor risk management provisions.
NPD operated as a background check and data aggregation service used by financial institutions, employers, and other organizations to verify identities and run background screenings. The breach did not originate inside any lending institution — but lending institutions that used NPD's services faced real questions about whether their information security programs had adequate vendor oversight provisions, whether their vendor contracts required NPD to maintain appropriate safeguards, and whether they had conducted adequate due diligence on NPD's security practices.
As detailed in our analysis of the National Public Data breach and its lessons for lenders, the FTC Safeguards Rule's vendor oversight provisions require financial institutions to go beyond selecting reputable vendors — they require ongoing oversight and contractual protections that create accountability throughout the data supply chain.
Third-Party Vendor Breaches: The Consistent Pattern
Across the major breach incidents of 2023–2025, a consistent pattern emerged for financial services firms:
The institutions that navigated these incidents most effectively were those whose information security programs included specific, documented vendor oversight provisions — contractual security requirements, periodic vendor security assessments, and incident notification obligations — rather than broad policy statements about vendor management.
What These Breaches Mean for Your GLBA Program
The breach record of 2023–2025 reveals five specific areas where lenders' GLBA compliance programs were most frequently tested:
Vendor contract language. Institutions with specific, contractual security requirements in their vendor agreements were better positioned to hold vendors accountable and to demonstrate adequate oversight to regulators. Vague "industry-standard security" language does not satisfy the Safeguards Rule's vendor oversight provisions. Encryption scope. Several major breaches involved data that was technically encrypted but where the encryption keys were also compromised — or data that was unencrypted in transit between systems. The Safeguards Rule requires encryption of customer information at rest and in transit; the breach record shows that partial encryption programs leave material exposure. Incident response plan currency. Institutions whose incident response plans had not been updated to reflect the Safeguards Rule's 30-day FTC notification requirement (effective May 2024) faced gaps in their response procedures. Incident response plans require regular review and updating as regulatory requirements evolve. Board reporting. The Safeguards Rule requires annual reporting to the board of directors on the status of the information security program. Institutions where breach incidents surfaced gaps in board-level visibility into third-party risk were often those where the annual reporting requirement had not been treated as a substantive review. Third-party risk inventory. Institutions with a clear, current inventory of all vendors handling customer information — including subprocessors and data aggregators — were able to assess breach impact more quickly and accurately than those without systematic vendor tracking.Building a Safeguards-Ready Compliance Program
The FTC Safeguards Rule is not primarily a technology requirement — it is a program requirement. The institutions that demonstrate the most effective compliance programs under examination are those that have embedded the Rule's requirements into their operational workflows rather than their policy binders.
For lenders on Salesforce, this means:
- Vendor oversight provisions that are contractual, specific, and documented within the platform
- Encryption standards verified and documented for all customer data in transit and at rest
- Incident response plans that reflect current notification requirements and are reviewed annually
- Board reporting workflows that generate and document the required annual information security update
As detailed in our analysis of what lenders need to know about third-party risk, FCRA compliance and GLBA compliance obligations do not transfer to vendors — they remain with the institution regardless of where in the ecosystem a failure occurs.
What This Means for Your Institution
The major breaches of 2023–2025 were not anomalies. The threat landscape for financial services data has become more sophisticated, and the vendor ecosystem that lenders rely on has become a primary attack surface. The FTC Safeguards Rule's vendor oversight and notification requirements exist precisely because regulators recognized this pattern.
Institutions that treat these breaches as case studies — and use them to evaluate the specific provisions of their own information security programs — are building the compliance posture that both examiners and the current threat environment require. The question is not whether your institution will encounter a third-party security incident. The question is whether your information security program is designed to respond to it effectively when it happens.
Schedule a Compliance Discussion to assess your institution's GLBA Safeguards Rule compliance program against the requirements that recent major breaches most frequently tested.