Cyber Incident Victim: First National Bankers Bankshares
Date:
May 2023
Location:
United States of America
Summary
A third-party software vulnerability exploited at First National Bankers Bankshares (FNBB) led to a data breach. FNBB, which provides check clearing services, utilized the MOVEit Transfer application, and an unauthorized party accessed its server. The incident potentially compromised files containing scanned check images and associated checking account numbers. The breach did not directly impact the systems of the customer banks that utilize FNBB's services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
First National Bankers Bankshares (FNBB) experienced a data breach as a result of a vulnerability in a third-party software application utilized for data transfer services. FNBB provides correspondent banking services, specifically check clearing, for other financial institutions, including BOM Bank. This service involves the transmission of scanned check images between financial institutions for processing. The software in question was MOVEit Transfer, a tool used by FNBB to transfer files. The provider of the MOVEit Transfer software disclosed to FNBB that a vulnerability existed within their product. This vulnerability had been exploited by an unauthorized third party to gain access to data on the servers FNBB used to host the MOVEit application.
Upon receiving notification from the software provider, FNBB applied software patches that were issued to address the vulnerability. FNBB also notified law enforcement agencies of the incident and initiated an investigation into the event with the assistance of external data forensic experts. The forensic investigation determined that the unauthorized third party likely accessed the MOVEit server on May 27, 2023. This access could have permitted the unauthorized individual to view or acquire files stored on that server. The files present on the compromised server included images of checks that had been processed through the clearing service and associated checking account numbers. FNBB’s investigation was unable to determine with certainty which specific files, if any, were actually acquired or exfiltrated by the unauthorized party.
FNBB subsequently notified its customer institutions, including BOM Bank, of the data breach. BOM Bank received this notification and was informed that the breach originated from a third-party software event at FNBB and did not involve a compromise of BOM Bank's own internal systems. The data potentially exposed belonged to customers of BOM Bank whose checks had been processed through the FNBB clearing service. BOM Bank was notified by FNBB that the relevant files had been identified on or around July 10, 2023. Following this identification, BOM Bank promptly began a manual review of the records involved to confirm the identities of the individuals whose information was present on the server and to obtain their current contact information for the purpose of providing formal notification.
The manual review process was conducted to ascertain the full scope of individuals potentially affected by the incident at FNBB. BOM Bank recently completed this review of the records, which confirmed the types of personal information that were present on the server at the time of the unauthorized access. The information involved was related to the check clearing process and consisted of images of checks written by or deposited to accounts at BOM Bank. These check images inherently contained the checking account number of the account holder. There was no indication from either FNBB or BOM Bank that the event had resulted in any identity theft or fraud related to the exposed information. Despite this lack of evidence regarding misuse, the decision was made to notify affected customers out of an abundance of caution.
The incident was fundamentally contained through the application of the software patches provided by the MOVEit Transfer vendor. The patching action was a direct response to the disclosure of the vulnerability and was intended to prevent further unauthorized access through the same security flaw. The involvement of law enforcement and forensic experts formed a critical part of the response, aiming to investigate the scope of the access and to aid in the mitigation efforts. The primary consequence of the incident was the potential exposure of sensitive banking information, specifically check images and account numbers, which could be misused for fraudulent purposes. The inability to determine precisely which files were accessed added a layer of uncertainty regarding the specific impact on individuals. The response timeline indicates a period of over a month between the suspected unauthorized access on May 27 and the identification of the relevant affected files by FNBB around July 10, followed by the customer notification process undertaken by BOM Bank thereafter.