Cyber Incident Victim: Frost Bank
Date:
Mar 2018
Location:
United States of America
Summary
Frost Bank experienced unauthorized access to digital images within commercial customers' lockbox archives due to a vulnerability in a third-party software program, enabling attackers to view and copy electronically stored check images. The breach was detected during an investigation, prompting immediate remediation efforts including halting unauthorized access, engaging a cybersecurity firm, and cooperating with law enforcement. Impact was limited to commercial lockbox systems, with no compromise of other banking systems. Affected customers, including the City of Corpus Christi—which utilized three commercial accounts for payment processing—were notified and advised to monitor accounts for suspicious activity, particularly those who mailed payments to specific Frost Bank lockbox addresses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around March 16, 2018, Frost Bank, a subsidiary of Cullen/Frost Bankers, Inc., announced it was investigating unauthorized access to digital images within commercial customers’ lockbox image archives. The breach was detected earlier that week when Frost identified unauthorized users accessing a third-party lockbox software program, which enabled viewing and copying of electronically stored check images. The bank immediately initiated an investigation, halted the unauthorized access, and engaged a leading cybersecurity firm to assist. Frost notified law enforcement agencies, including the FBI and Secret Service, and began contacting affected commercial customers on March 16 to inform them of the incident. The breach was confined to the third-party lockbox system and did not compromise other Frost Bank systems or retail customer accounts. Frost established a dedicated customer service line (800-513-7678) and published FAQs on its website to address concerns.
The incident impacted commercial entities utilizing Frost’s lockbox services for payment processing, including the City of Corpus Christi, which maintained three commercial accounts for EMS and utility payments. The City confirmed that unauthorized parties accessed scanned documents, including checks, mailed to specific Frost lockbox PO boxes in San Antonio (e.g., PO Box 659880, 659722, 34627). Corpus Christi officials advised customers who mailed payments to these addresses to monitor their accounts but clarified that in-person, online, or third-party processor payments (e.g., H-E-B, Western Union) were unaffected. Frost’s remediation included collaboration with law enforcement, ongoing investigation updates, and direct support to affected commercial clients. No public disclosure was made regarding the total number of impacted customers or the duration of unauthorized access prior to detection. The bank’s CEO, Phil Green, publicly acknowledged the breach and emphasized Frost’s commitment to resolving the issue, though no specific technical details about the attack vector or identity of the perpetrators were released.