US financial institutions have “lost” the battle to protect their customers’ personal data and must now assume that information on all of their clients has already been compromised or will be at some point in the future, TowerGroup has said.

Its research indicates that over 100 data breaches involving millions of personal details were reported between January and April.

Financial institutions should therefore presume that traditional account information, such as a customer’s name, address or date of birth, is now “useless” in terms of authentication. Companies should instead adopt “knowledge-based authentication” and the use of one-off passwords sent via SMS text messages.

In addition, organizations need to implement cross-channel fraud prevention policies that can detect potential data breaches in real time. These strategies also need to be continually evaluated and developed to keep pace with the fraudsters looking to steal personal data, TowerGroup said.

The firm added that regulators also need to introduce tougher data protection requirements and penalties because until businesses are compelled to secure customers’ information, incidents of theft will “persist and worsen”.

TowerGroup, a division of MasterCard Worldwide, is a research and consulting specialist that focuses on the financial services industry with offices in London and Needham, Massachusetts.