Cyber Incident Victim: First Merchants Bank

On or around May 28, 2023, a security vulnerability was exploited within the MOVEit Transfer software, a third-party service utilized by a vendor of First Merchants Bank (FMB). This vendor provided services to many financial institutions, and the incident impacted a large number of companies across various industries, including government agencies, healthcare, and financial services. The bank's own network and IT systems were not involved or affected by this event. The unauthorized activity occurred over a period of three days, from May 28 to May 30, 2023, during which certain FMB data was copied without authorization from the vendor's MOVEit system.

First Merchants Bank was notified of the potential issue by its vendor, and on June 21, 2023, the vendor confirmed to FMB that its data may have been compromised. Following this confirmation, FMB promptly initiated a detailed review of the data involved to determine the types of information present and to identify the specific individuals and businesses to whom the data related. The investigation determined that the incident potentially affected FMB customers who used mobile or online banking services. The scope of information exposed varied by individual or business but was confirmed to include a range of sensitive personal and financial data.

The types of customer information potentially affected included names, contact information such as telephone numbers, addresses, and email addresses, and dates of birth. More sensitive identifiers were also involved, including Social Security numbers or tax identification numbers and mothers' maiden names. For business customers, company identification numbers were potentially exposed. Financial account information was also compromised, including account and routing numbers, as well as payee information. The investigation confirmed that online or mobile banking passwords were not captured or compromised and remained unaffected by the incident. Online/mobile banking usernames, however, were among the data copied.

In response to the incident, First Merchants Bank undertook several actions focused on customer communication and support. The bank made its customers aware of the event through a public notice and directly notified potentially affected individuals. A dedicated assistance telephone line was established for customers, available from 9:00 a.m. to 6:30 p.m. ET, Monday through Saturday, excluding major U.S. holidays. The bank emphasized that it takes the confidentiality, privacy, and security of information very seriously and that it exercises utmost care in selecting vendors to support its banking services. FMB continued to work with the involved vendor to investigate the issue thoroughly.

As part of its response, First Merchants Bank also began a review of its existing policies and procedures regarding vendor services. The bank committed to evaluating additional measures and safeguards to enhance information security in light of this incident. The primary focus of the bank's external response was to provide customers with clear guidance on the steps they could take to protect themselves and their information. Customers were strongly encouraged to remain vigilant against incidents of identity theft and fraud.

The bank advised customers to review their account statements and monitor their credit reports for suspicious activity for at least the next 12 to 24 months. Customers were instructed to alert FMB immediately upon discovering any suspicious activity or unauthorized transactions on their accounts. The bank provided specific instructions for its online banking users, urging them to change their online banking Login ID (User ID) and to consider changing their online banking password, despite passwords not being compromised in the incident. Detailed, step-by-step guides were published on the bank's website to walk customers through the process of changing their User ID and password, as well as setting up account alerts for unusual activity.

First Merchants Bank provided extensive information on the rights and resources available to consumers for protecting their credit. This included instructions on how to obtain free annual credit reports from the three major credit reporting bureaus: Equifax, Experian, and TransUnion. The notice explained the difference between a fraud alert and a credit freeze, detailing the procedures for placing each with the credit bureaus. Contact information for each bureau, including website links, phone numbers, and mailing addresses for fraud alerts and credit freezes, was supplied to make the process more accessible for affected individuals.

The bank's notice also included information for residents of specific states, directing them to the offices of their respective Attorneys General for additional support and guidance. For consumers in Rhode Island, it was noted that there were approximately 14 residents potentially impacted by the event, and under Rhode Island law, these individuals had the right to obtain any police report filed in regard to this incident. The notice concluded by affirming that its dissemination had not been delayed by law enforcement and provided contact information for the Federal Trade Commission, which encourages individuals who discover their information has been misused to file a complaint. The incident was attributed to a vulnerability in a third-party file transfer service used by a bank vendor, and the bank's systems were not breached.