Cyber Incident Victim: Stockman Bank

On or around May 30th and May 31st of 2023, a data security incident impacted Stockman Bank, a financial services institution based at 1405 Grand Ave, Billings, Montana. The breach was not discovered by the bank until August 4th, 2023, indicating a period of approximately two months between the initial compromise and its detection. The nature of the event was identified as a third-party breach, meaning the compromise did not occur within Stockman Bank's own internal systems but rather within the infrastructure of an external partner or service provider. The specific third party involved was not named in the breach notification.

The unauthorized actor or actors involved in this incident successfully acquired sensitive personal information. The information accessed was of a highly sensitive nature, consisting of the names or other personal identifiers of affected individuals in combination with their Social Security Numbers. This specific type of data combination is particularly valuable for malicious purposes, such as identity theft and financial fraud, due to its use in verifying an individual's identity for credit applications and other sensitive transactions.

The total number of individuals affected by this breach was 5,115. This figure includes individuals from across the United States. Of that total, four were identified as residents of the state of Maine. Because the number of affected Maine residents was well below the 1,000-person threshold that triggers a requirement to notify consumer reporting agencies, such a notification was not made in this instance. The breach notification was submitted to the Maine Attorney General's office by outside counsel representing Stockman Bank, specifically Marcus McCutcheon of the law firm Baker & Hostetler, LLP.

Following the discovery of the incident on August 4th, Stockman Bank initiated its response protocol. The primary response action was to provide notification to all affected individuals. This notification was carried out in written form, with the letters being dispatched to the 5,115 victims on August 7th, 2023. This swift three-day period between discovery and notification suggests a pre-planned incident response procedure was activated. The notification letters included a detailed explanation of the incident and the types of personal information that had been exposed.

In addition to informing individuals of the breach, Stockman Bank also took steps to provide protective measures to help mitigate the potential harm caused by the exposure of Social Security Numbers. The bank offered affected persons complimentary identity theft protection services. These services were provided by the firm Kroll, a well-known provider of risk and financial advisory solutions. The offered services were comprehensive, including credit monitoring to alert individuals to new lines of credit opened in their name, fraud consultation to provide expert guidance should any suspicious activity occur, and identity theft restoration services to assist victims in recovering their identities and repairing their credit should they fall victim to fraud. This protection was offered for a duration of one year from the date of the notification.

The submission of the breach notification to the Maine Attorney General's office included a copy of the sample letter that was sent to the four affected Maine residents, providing transparency into the communication process. The incident, occurring in late May but discovered in early August, highlights the challenges organizations face in detecting compromises, especially those stemming from third-party vendors where visibility into system activity may be limited. The compromise of Social Security Numbers represents a significant risk to the affected individuals, necessitating the offering of robust protective services to help safeguard their financial identities. The response was characterized by a formal notification process managed through legal counsel and the provision of a standardized set of mitigation services to all victims.