Cyber Incident Victim: United Bankshares, Inc.

United Bank became aware of a data security incident involving the compromise of a third-party software tool, which was publicly identified as the MOVEit file transfer software. This incident occurred on or around May 31, 2023, coinciding with the public disclosure of widespread vulnerabilities in the MOVEit platform exploited by the Clop ransomware gang. Upon learning of the situation, United Bank immediately launched an investigation into the potential impact on its customer data. The bank engaged external security experts to assist with this investigation to identify any compromise of customer information.

The investigation determined that the incident involved unauthorized access to files containing the personal information of United Bank customers. The specific data accessed included customer names and account numbers. The breach was not due to a direct compromise of United Bank's own internal systems but was a result of the vulnerability within the third-party MOVEit software tool used by the bank. The bank promptly applied all recommended remediation measures provided by the software vendor, Progress Software, to mitigate the impact of the vulnerability and secure its environment.

In response to the confirmed data exposure, United Bank began the process of notifying affected individuals. By June 30, 2023, the bank had dispatched individualized letters to impacted customers to inform them of the breach. The notification letter, signed by President Julie R. Gurtis, explained the nature of the incident and the specific types of personal information involved. The bank expressed regret for the incident and emphasized its serious approach to safeguarding customer confidentiality.

As a remedial action, United Bank arranged for complimentary credit monitoring services for the affected individuals. The bank engaged Equifax to provide a two-year credit monitoring product at no cost to those whose information was involved. This service was designed to help detect possible misuse of personal information and provide identity protection support. Each notified customer was provided with a unique activation code to enroll in the program, with an offered deadline for activation. The service included features focused on the immediate identification and resolution of identity theft.

The bank's notification also provided detailed guidance to customers on steps they could take to protect themselves, though these were presented as recommendations and not as requirements. Customers were advised to remain vigilant for incidents of fraud and identity theft over the next 12 to 24 months, including by regularly reviewing their account statements and monitoring their credit reports. The notification included contact information for the three nationwide credit reporting agencies—Equifax, Experian, and TransUnion—and explained how to obtain free annual credit reports. It also detailed the process for placing fraud alerts or security freezes on credit files, which can make it more difficult for unauthorized parties to open new accounts using stolen information.

United Bank established a dedicated telephone line, 844-665-7611, for affected customers to call with any questions or concerns regarding the incident. The bank assured customers that it took the issue very seriously and that helping them was a priority. The incident was reported to the appropriate authorities, as indicated by the publication of the notification letter on the official website of the Commonwealth of Massachusetts, which assigned a data breach number, 29929, to the incident involving United Bankshares Inc.

The breach at United Bank was part of a much larger global cybersecurity incident centered on the exploitation of vulnerabilities in the MOVEit file transfer software. The Clop ransomware group claimed responsibility for these attacks, which affected hundreds of organizations worldwide, including numerous other financial institutions, universities, government agencies, and corporations. The attack on United Bank was consistent with the broader pattern where attackers exploited the software to access sensitive files transferred through the MOVEit environment. The cascading effect of the incident was significant due to the centralized role of various service providers, though United Bank's exposure was directly tied to its own use of the vulnerable software rather than through an intermediary. The bank's response focused on customer notification, offering protective services, and reinforcing its security posture following the application of the necessary patches to the vulnerable system.