Cyber Incident Victim: First National 1870
Date:
May 2023
Location:
United States of America
Summary
A cybersecurity incident involving First National 1870 occurred due to exploitation of a zero-day vulnerability in Progress Software's MOVEit file transfer tool, which the institution used for secure data transfers. Unauthorized actors likely accessed files containing personally identifiable information from an on-premises server housing the MOVEit software before the vendor's notification. The affected systems were segmented from core banking operations, which remained uncompromised without material business disruption. The organization promptly implemented vendor-supplied patches, engaged third-party forensic experts, and initiated an investigation to determine the scope of impacted data. While remediation efforts and direct customer notifications are ongoing, the breach may result in financial costs, regulatory scrutiny, and potential litigation related to the unauthorized data access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or about May 31, 2023, Progress Software Corporation notified Sunflower Bank, N.A., a wholly-owned subsidiary of FirstSun Capital Bancorp, of a zero-day vulnerability in Progress Software’s managed file transfer application MOVEit. The bank utilized MOVEit for securely transferring sensitive and confidential information, including data related to its First National 1870 and Guardian Mortgage divisions. The software operated on an on-premises server segmented from the bank’s core processing systems and other IT infrastructure. Upon notification, Sunflower Bank immediately enacted response protocols to address the vulnerability and protect its data. The bank retained a third-party forensic expert and launched a comprehensive investigation to determine the nature and scope of the incident. All software fixes issued by Progress Software were implemented following the disclosure. The investigation revealed that prior to Progress Software’s notification, an unauthorized party likely exploited the vulnerability to download files from the MOVEit server. These files contained personally identifiable information, though the bank’s core systems remained unaffected throughout the incident. No material business interruption occurred due to the segmentation of the MOVEit environment from operational systems.
Sunflower Bank confirmed the compromised files likely contained customer information accessed or acquired without authorization, though the full scope remained under investigation at the time of reporting. The bank initiated efforts to identify affected data files and began direct notifications to potentially impacted parties. Financial costs were incurred for incident response, remediation, and investigation, with expectations of continued expenses. The incident exposed the bank to risks including litigation, regulatory scrutiny, and reputational damage stemming from the data access. Ongoing evaluation focused on determining the complete financial impact, potential regulatory penalties, and legal liabilities. While the MOVEit server housed sensitive data, forensic analysis confirmed no evidence of lateral movement into the bank’s primary IT systems or core processing infrastructure. Public disclosures emphasized the geographical and industry-wide scale of the MOVEit exploitation, affecting thousands of organizations globally. The bank established a dedicated webpage for incident updates and committed to direct communication with affected customers as identification efforts progressed.