Cyber Incident Victim: First Horizon Corporation

First Horizon Corporation, a regional financial services company with $84 billion in assets, disclosed in April 2021 that unauthorized actors breached a limited number of online banking accounts belonging to customers of its subsidiary, First Horizon Bank. The incident was discovered in mid-April 2021, though the initial compromise occurred earlier that month. Attackers gained access by leveraging previously stolen customer credentials combined with exploitation of a vulnerability in unspecified third-party security software. This dual approach enabled unauthorized access to fewer than 200 online bank accounts. Once inside, threat actors extracted customer personal information stored within the accounts and initiated fraudulent transfers, ultimately obtaining less than $1 million in aggregate from affected customers. The bank emphasized the attack’s limited scope, noting no enterprise-wide system compromise beyond the targeted accounts.

Upon detection, First Horizon reimbursed all impacted customers for stolen funds and opened new banking accounts for them as a precautionary measure. The company notified relevant law enforcement agencies and data regulators, though specific entities were not named in disclosures. Remediation efforts included patching the exploited third-party software vulnerability and resetting passwords for compromised accounts. In an SEC 8-K filing dated April 28, 2021, First Horizon stated the incident would not materially affect its business operations or financial condition. This breach followed a separate 2020 disclosure by IBERIABANK Mortgage—a division acquired through First Horizon’s July 2020 merger—which involved a two-year data exposure unrelated to the credential-based attack. No additional technical specifics about the vulnerability or attacker identity were provided.