Cyber Incident Victim: Happy State Bank
Date:
Jul 2022
Location:
United States of America
Summary
Happy State Bank experienced a data breach when an unauthorized party accessed an employee's email account through a phishing attack, compromising sensitive customer information. The incident exposed names and Social Security numbers of 10,069 individuals. Following an internal investigation confirming the data leak, the bank notified affected customers and regulatory authorities. The breach stemmed from unauthorized access to files containing confidential consumer data via the compromised email account.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2022, Happy State Bank detected suspicious activity within an employee's email account, prompting an immediate internal investigation. The investigation confirmed the employee had fallen victim to a phishing attack, enabling unauthorized access to files containing customer information. HSB determined the attacker gained entry through this compromised email account, though the specific duration of access wasn't disclosed. The bank's forensic review focused on identifying which files were accessed and what types of consumer data were exposed. By March 16, 2023, HSB completed its analysis and filed a formal breach notice with the Maine Attorney General, confirming the incident affected 10,069 individuals. The compromised data included names and Social Security numbers, with variations in exposed information per individual. No banking details, financial account information, or transaction records were explicitly listed as compromised in the filing. HSB initiated direct mail notifications to all affected customers on the same date as the regulatory filing, eight months after initial detection. The breach occurred prior to HSB's acquisition by Home Bancshares, Inc., which finalized in 2022 and transitioned the bank into a Centennial Bank division.
The incident exposed sensitive personally identifiable information (PII) critical to identity verification, creating potential fraud risks for impacted customers. HSB's response included standard breach notification procedures required under state laws, though no credit monitoring or identity protection services were mentioned in the public filing. The breach originated from a single employee email account compromise rather than a direct intrusion into core banking systems. As a regional institution operating over 60 Texas branches with 750 employees, the breach affected approximately 5% of HSB's estimated customer base based on its $136 million annual revenue. No operational disruptions to banking services or additional security incidents were reported in conjunction with the breach. The phishing attack's technical specifics, including whether malicious links or attachments were involved, remained undisclosed in regulatory documents. HSB's parent company, Home Bancshares, Inc., did not issue separate statements regarding the incident's financial or reputational impact on the consolidated organization.