Cyber Incident Victim: Darling Consulting Group

On or around May 31, 2023, BankNewport issued a notification letter to its customers regarding a data security incident. The incident, however, did not originate within BankNewport's own systems. The bank was notified by Darling Consulting Group, a third-party service provider, that it had experienced a cybersecurity event. Darling Consulting Group provides certain analytical services to the bank. The event at Darling Consulting Group resulted in the unauthorized access and acquisition of certain files from its systems. These files contained personal information belonging to a number of BankNewport's customers.

The specific details of the attack vector, the exact date of the initial intrusion, or the duration of unauthorized access within Darling Consulting Group's network were not disclosed in the notification. The incident was detected by Darling Consulting Group, who then conducted an investigation into the nature and scope of the event. Following this investigation, Darling Consulting Group determined that the acquired files contained sensitive personal information. The compromised data included individuals' names and Social Security numbers. The notification did not specify the total number of individuals affected by the incident at the third-party provider, nor did it detail the number of BankNewport customers specifically impacted.

Upon being notified by its service provider, BankNewport initiated its own response. The bank's primary action was to notify its affected customer base via written correspondence dated May 31, 2023. This communication served to inform individuals that their personal information had been involved in the breach at the third party. The letter outlined the specific types of personal data that were exposed, which were confirmed to be names and Social Security numbers. The bank expressed regret for the incident and any inconvenience it may cause.

In response to the potential risk of identity theft and fraud, BankNewport offered complimentary credit monitoring and identity protection services to the affected individuals. The offering was described as a way to help protect their information. To receive these services, individuals were required to enroll within a 90-day window from the date of the notification letter. The enrollment process was noted to require an internet connection and an email account, and the service was stated as being unavailable to minors under the age of 18. The bank strongly urged all recipients of the letter to sign up for the provided services.

For individuals who opted not to utilize the offered services, the notification letter contained extensive guidance on alternative protective measures they could undertake independently. This included detailed instructions on how to place a fraud alert or a security freeze on their credit files. The letter provided the direct contact information for the three major credit reporting agencies: Experian, Equifax, and TransUnion. It explained the process and potential impacts of a security freeze, noting that while it may delay the approval of new credit applications, there is no charge to request one. The specific documentation required to request a freeze was listed, including full name, Social Security number, date of birth, address history, proof of current address, and a copy of a government-issued ID.

The letter further advised affected individuals on how to obtain free copies of their credit reports from AnnualCreditReport.com for self-monitoring. It recommended that recipients carefully review these reports for any suspicious activity. Additional resources were provided, including contact information for the Federal Trade Commission (FTC) and its identity theft hotline, as well as online resources at the FTC's website dedicated to identity theft. Guidance specific to potential tax-related fraud was also included, directing individuals to the IRS Taxpayer Guide to Identity Theft and advising them to consider completing IRS Form 14039, the Identity Theft Affidavit, to place a marker on their tax records.

For residents of Rhode Island, the notification suggested contacting the Rhode Island Attorney General’s Office, Consumer Protection Unit. It also affirmed the right of individuals to file a police report with their local law enforcement agency if they believed they had become a victim of identity theft or fraud. The overall recommendation within the letter was for affected customers to remain vigilant in reviewing their account statements and monitoring their credit reports for any signs of fraudulent activity. BankNewport established a dedicated telephone assistance line at (401) 845-6565 for affected customers to call with any questions regarding the incident. The communication was signed by Mary Leach, Executive Vice President and Chief Retail Banking & Lending Officer, on behalf of BankNewport. The incident was assigned data breach number 30158 by the relevant authorities. The direct impact on BankNewport's internal operations or systems was not described, as the breach was contained to the systems of the third-party consulting firm. The containment and eradication actions taken by Darling Consulting Group were not detailed in the provided notification.