Cyber Incident Victim: Adams Bank & Trust

On May 15, 2023, Adams Bank & Trust, a financial services institution based in Ogallala, Nebraska, experienced an external system breach. The incident was first detected by the bank in the early hours of the following day, Tuesday, May 16, 2023, when unusual activity indicative of a cybersecurity threat was identified on its systems. In immediate response to this detected threat, the bank made a swift decision to initiate a lockdown of its servers. This decisive containment action was taken to protect customers and their personal financial information from potential compromise. The protective server lockdown, however, resulted in a significant service disruption for customers, who lost access to the bank's website and mobile application services.

Public communication regarding the incident began on May 16th via the bank’s Facebook page. The initial post informed customers of the disruption, attributing it to the detected unusual activity and the subsequent server lockdown. The bank's stated primary concern was the security of customer funds and personal information, which it asserted remained secure. The message expressed regret for the inconvenience caused and indicated that updates would be provided as systems were restored. Customers reported continued inability to access online and mobile services through that Saturday, indicating the outage persisted for several days. The bank acknowledged it did not have a definitive timeline for full service restoration but committed to providing ongoing updates through its Facebook channel and other notification systems.

An investigation and forensic analysis were conducted by the bank's IT department to determine the source and scope of the threat. The initial public statements from the bank on May 16th indicated there was no evidence that customer information had been accessed as a result of the incident. The forensic investigation continued, and the breach was officially discovered on September 22, 2023. The findings from this investigation revealed that the external system breach, or hacking, had in fact resulted in the acquisition of sensitive customer information. The specific information acquired included the name or other personal identifier of individuals in combination with their financial account number or credit/debit card number. Furthermore, this financial information was acquired in combination with the account's security code, access code, password, or PIN.

The total number of persons affected by this data breach was 23,819, which included one Maine resident. Notification to consumers was carried out via written notice, with the date of consumer notification being November 15, 2023. For the single affected Maine resident, a copy of the notice was filed with the state's authorities. In response to the confirmed compromise of sensitive personal and financial information, Adams Bank & Trust offered identity theft protection services to those impacted. These services were provided by IDX and included 12 months of credit monitoring, identity restoration services, and identity theft insurance. The breach was formally reported by Chad Adams, the Executive Vice President of the bank, who submitted the required documentation to the Maine Attorney General's office, confirming the entity's relationship to the incident as an employee.