Cyber Incident Victim: Northern Bank & Trust Company

On or around May 30, 2023, Northern Bank & Trust Company, a financial services institution located at 275 Mishawum Road in Woburn, Massachusetts, experienced a security incident. The breach was characterized as an external system breach resulting from hacking activity. The unauthorized actor or actors successfully acquired sensitive personal information belonging to a total of sixty-four individuals. This compromised data included the name or another personal identifier of each affected individual in combination with their Social Security Number. The breach was not discovered immediately; instead, the intrusion went undetected for approximately six weeks. The financial institution officially discovered that its systems had been compromised on July 12, 2023.

Following the discovery of the incident, the bank initiated its response and investigation procedures. The investigation confirmed the nature of the breach and the specific type of personal information that had been accessed and acquired by the unauthorized party. The scope of the impact was determined to be limited to the sixty-four affected persons. Among this group, only one individual was a resident of the state of Maine. Due to the relatively small number of affected Maine residents, which was well below the one thousand person threshold, the company was not required to and did not notify consumer reporting agencies of the breach as per relevant regulations.

The notification process to inform affected consumers began on August 2, 2023. Northern Bank & Trust Company elected to use written notification as its method of communication with all individuals whose personal information was involved in the incident. This formal written notice was provided directly to each of the sixty-four people. For the single affected Maine resident, a specific copy of the data security breach notice was filed with the Maine Attorney General's office; this document was titled "Data Security Breach Notice (MoveIt; SSN).pdf," indicating a potential connection to the MOVEit file transfer software exploited in a widespread series of attacks around that time, though the article does not explicitly confirm this link.

As part of its response to mitigate potential harm to the affected individuals, Northern Bank & Trust Company offered to provide identity theft protection services. The company engaged the services of Experian, a major credit reporting and monitoring agency, to furnish these protections. The offered service was provided for a duration of thirty-six months, or three years, from the point of enrollment. This service was designed to help monitor for and alert individuals to any suspicious activity related to their personal information, particularly their Social Security Number, which could be used for identity theft or financial fraud. This offering was made available to all sixty-four individuals at no cost to them. The breach was reported to the appropriate authorities, including the Office of the Maine Attorney General, by the company's General Counsel, Sean Mahoney. The submission was made electronically through the state's official portal for data breach notifications. The company confirmed that it had not experienced any other data breach incidents requiring notification within the twelve months preceding this event. The incident represents a compromise of personal identifiable information with a high potential for misuse, given the inclusion of Social Security Numbers, necessitating a robust protective response for the affected customers.