Cyber Incident Victim: KeyBank

On July 5, 2022, hackers breached the systems of Overby-Seawell Company, a Georgia-based insurance services provider working with KeyBank and other corporate clients. The intrusion resulted in the theft of sensitive personal data belonging to residential mortgage customers of Cleveland-based KeyBank, a financial institution operating across 15 states with nearly $200 billion in assets. The compromised information included customer names, addresses, mortgage account numbers, and the first eight digits of Social Security numbers—sufficient details for identity thieves to commit fraud. KeyBank confirmed its own systems and operations remained unaffected by the breach. The bank first learned of the incident on August 4, 2022, when notified by Overby-Seawell, and subsequently informed affected mortgage holders via letters dated August 26.

KeyBank's notification letters disclosed that Overby-Seawell had engaged third-party cybersecurity experts to investigate the breach and had alerted law enforcement authorities. While the bank declined to specify how many customers were impacted or provide additional details about the attack methodology, it emphasized taking the matter seriously and notified all affected individuals. The compromised data specifically related to mortgage accounts held with KeyBank, exposing victims to potential identity theft risks. As a remedial measure, KeyBank offered affected customers complimentary fraud monitoring services through its vendor partner. The breach highlighted vulnerabilities in third-party vendor security practices, though neither KeyBank nor Overby-Seawell disclosed whether ransomware, phishing, or other specific attack vectors enabled the intrusion.