Cyber Incident Victim: Rockland Trust
Date:
May 2023
Location:
United States of America
Summary
Rockland Trust suffered an external system breach involving unauthorized access to its network. The incident compromised the personal information of nearly 15,000 individuals, including names combined with financial account details and associated credentials. The breach was discovered approximately two weeks after it occurred. In response, the financial services firm offered affected customers two years of complimentary credit monitoring and identity theft protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 31, 2023, an external system breach occurred at Rockland Trust, a financial services organization located at 288 Union Street in Rockland, United States, with a zip code of 02370. The incident was not discovered until June 13, 2023, a period of approximately two weeks after the initial breach took place. The nature of the incident was identified as hacking, an external system breach that resulted in unauthorized access to sensitive consumer information. The investigation determined that the information acquired during this breach included personal identifiers such as names in combination with financial account numbers or credit and debit card numbers. Furthermore, this financial data was compromised in combination with sensitive authentication credentials, including security codes, access codes, passwords, or personal identification numbers (PINs) for the affected accounts.
The total number of individuals affected by this data security incident was 14,806. Among this group, 27 were identified as residents of the state of Maine. Due to the number of Maine residents being below the 1,000-person threshold, there was no requirement to notify consumer reporting agencies regarding this specific subset of affected individuals. The compromised data elements constituted a significant risk to the impacted consumers, as the combination of personal identifiers with full financial details and authentication credentials could facilitate fraudulent transactions and identity theft.
In response to the breach, Rockland Trust initiated a written notification process to inform all affected consumers. These notifications were dispatched on July 10, 2023, which was over a month after the breach was discovered on June 13th. This timeframe allowed the company to conduct a thorough investigation to determine the full scope and impact of the incident before communicating with its customers. The notification provided to Maine residents was documented and made available for review by the state's authorities.
As a protective measure for the individuals whose information was compromised, Rockland Trust offered identity theft protection services. The company engaged Experian IdentityWorks to provide credit monitoring services for a duration of 24 months. This service was designed to help affected consumers monitor their credit reports for any suspicious activity that might indicate identity theft or financial fraud resulting from the breach. The offering of such services is a common remedial action intended to mitigate potential future harm to the victims.
The incident was formally reported by Kevin Hause, who held the position of Data Privacy Officer at Rockland Trust. Mr. Hause, identified as a current employee of the organization, served as the official submitter of the breach notification to the Maine Attorney General's office. His contact information, including a telephone number and a dedicated email address for the Office of Information Security, was provided as part of the official record to facilitate communication regarding the incident. The submission confirmed the entity's relationship to the compromised information and detailed the specific parameters of the breach.