Cyber Incident Victim: Enterprise Bank & Trust Company

On or around May 27, 2023, Enterprise Bank & Trust Company, a financial services institution based at 222 Merrimack Street in Lowell, Massachusetts, experienced an external system breach. The incident, which was characterized as hacking, resulted in an unauthorized party gaining access to the company's systems. The breach was not discovered immediately; it was identified and confirmed by the organization on June 1, 2023, five days after the initial compromise occurred. The investigation into the event determined that the attacker acquired sensitive personal information belonging to a total of 1,314 individuals. This affected population included 24 residents of the state of Maine.

The specific category of information acquired during the breach was classified as a name or other personal identifier in combination with financial account numbers or credit/debit card numbers. Furthermore, this financial data was compromised in combination with the corresponding security codes, access codes, passwords, or PINs for the accounts. This combination of data elements significantly increased the potential risk for the affected individuals, as it provided the intruder with the necessary components to potentially access and misuse the financial accounts directly.

In response to the discovery of the breach, Enterprise Bank & Trust Company engaged external legal counsel, specifically the firm Mullen Coughlin LLC, to manage the incident response and regulatory notification process. Lynda Jensen, a Partner at Mullen Coughlin, acted as counsel for the bank and served as the official submitter of the breach notification to the Maine Attorney General's office. The bank undertook an investigation to determine the full scope and impact of the incident, focusing on identifying which individuals and what specific types of their personal information were involved.

The breach notification was formally submitted to the Maine Attorney General's office, a step required under state law due to the involvement of Maine residents' personal information. The submission occurred on May 31, 2023, which was within a timeframe consistent with regulatory obligations for reporting such events. The filing confirmed the details of the breach, including the dates of occurrence and discovery, the nature of the attack as an external system breach by hacking, and the precise types of personal information that were acquired by the unauthorized actor.

Enterprise Bank & Trust Company elected to provide written notification to all affected individuals. The process of notifying the 1,314 consumers whose information was involved in the incident was completed on September 7, 2023. This written communication served to inform them of the event, the nature of the information that was compromised, and the steps the company was taking in response. A copy of this notice, titled "Enterprise Bank & Trust Company - Notice of Data Event," was also provided to the Maine Attorney General's office as part of the public record for the incident.

As a remedial measure to protect the affected individuals from potential identity theft and financial fraud, Enterprise Bank & Trust Company offered complimentary identity theft protection services. These services were provided through Experian, a major credit reporting and monitoring agency. The offered protection included comprehensive identity theft and credit monitoring services designed to alert individuals to certain changes in their credit profiles. The duration of this protection service was offered for a period of between 12 and 24 months to the victims of the breach, providing them with an extended safety net to help detect any misuse of their personal information.

The incident represented a significant cybersecurity event for the financial institution, impacting over a thousand customers. The compromise of highly sensitive financial authentication data necessitated a substantial response effort, including investigation, regulatory compliance, and customer outreach and support. The offering of credit monitoring services was a direct action taken to mitigate potential future harm to those whose data was exposed. The breach was contained following its discovery on June 1, 2023, with efforts then shifting to post-incident response, including the notification process which concluded in early September of that same year.