Cyber Incident Victim: Union Bank and Trust Company

On May 31, 2023, Union Bank and Trust Company (UBT) was notified by Progress Software of a zero-day vulnerability within their MOVEit Transfer software. Immediately upon receiving this notification, UBT took the MOVEit Transfer application offline and initiated an investigation into the nature and scope of the event. This investigation was conducted with the assistance of third-party forensic specialists. The forensic investigation determined that the specific vulnerability identified by Progress Software had been exploited. It was concluded that certain customer information being stored within UBT’s MOVEit Transfer application was subject to unauthorized access on May 29, 2023. The investigation confirmed that no other UBT systems were affected by this event. UBT reported the event to federal law enforcement. The bank was not the only entity impacted by this incident, as MOVEit software is used throughout many industries; early reports indicated that government agencies and various other companies and organizations had experienced similar security events due to the same software vulnerability.

The type of information potentially impacted by this incident included customer names and sensitive personal data. The investigation specifically determined that no customer accounts or account information, such as online banking credentials or account numbers, were accessed during the incident. The confidentiality, privacy, and security of information were stated as being among the bank's highest priorities. In direct response to the notification of the vulnerability, immediate steps were taken to secure the information being stored within the MOVEit application. Furthermore, the MOVEit Transfer application was updated with the security patch issued by Progress Software to address the exploited vulnerability.

As an added precaution, UBT offered affected individuals access to complimentary identity monitoring services for twelve months through Kroll, a global leader in risk mitigation and response. The services provided through this offering included Single Bureau Credit Monitoring, which alerts individuals to changes in their credit data; Fraud Consultation, which provides unlimited access to a fraud specialist for advice on protecting one's identity and assistance with fraud alerts; and Identity Theft Restoration, where a licensed investigator works on behalf of the victim to resolve identity theft-related issues. Affected individuals were required to complete the activation process themselves by a specified deadline, as the bank was not permitted to activate the services on their behalf. The activation was to be completed online via a dedicated Kroll enrollment website.

The incident notification letter included extensive information on steps individuals could take to help protect their personal information. Consumers were encouraged to remain vigilant against incidents of identity theft and fraud by reviewing their account statements over the next twelve to twenty-four months for any suspicious activity or errors. Under U.S. law, consumers are entitled to one free credit report annually from each of the three major credit reporting bureaus: Equifax, Experian, and TransUnion. The notice provided detailed contact information for these bureaus. Consumers also have the right to place an initial one-year fraud alert or an extended seven-year fraud alert on their credit files at no cost. As an alternative to a fraud alert, consumers have the right to place a credit freeze on their credit report, which prohibits a credit bureau from releasing information without the consumer’s express authorization. Pursuant to federal law, consumers cannot be charged to place or lift a credit freeze. The notice listed the specific information required to request a credit freeze and provided the relevant addresses, phone numbers, and websites for all three major credit bureaus.

The notification further advised individuals to educate themselves regarding identity theft, fraud alerts, credit freezes, and other protective steps by contacting the consumer reporting bureaus, the Federal Trade Commission (FTC), or their state attorney general. The FTC contact information was provided, including its address, website dedicated to identity theft, toll-free number, and TTY number. The FTC encourages those who discover their information has been misused to file a complaint. Individuals also retain the right to file a police report if they experience identity theft or fraud, though they will likely need to provide some proof of being a victim. The notice stated that known or suspected identity theft should also be reported to law enforcement and state attorneys general and confirmed that the issuance of the notice itself had not been delayed by law enforcement.

Specific information for residents of certain jurisdictions was included in the notice. For District of Columbia residents, the contact details for the District of Columbia Attorney General were provided. For Maryland residents, the contact information for the Maryland Attorney General was listed. For New Mexico residents, the notice summarized key rights pursuant to the Fair Credit Reporting Act (FCRA), such as the right to know what is in your credit file and the right to dispute inaccurate information. It also noted that identity theft victims and active-duty military personnel have specific additional rights under the FCRA. For New York residents, the contact information for the New York Attorney General was provided. For North Carolina residents, the contact details for the North Carolina Attorney General were included. For Rhode Island residents, the notice provided the contact information for the Rhode Island Attorney General and stated that under Rhode Island law, residents have the right to obtain any police report filed in regard to this event. UBT established a dedicated assistance line and a postal address for affected individuals to direct their questions regarding the incident.