Cyber Incident Victim: 1st Source Bank
Date:
Jun 2023
Location:
United States of America
Summary
1st Source Bank experienced a data breach stemming from a zero-day vulnerability in the MOVEit file transfer software used by the organization. An unauthorized third party exploited this weakness to access sensitive client data, including personally identifiable information and Social Security numbers, affecting approximately 450,000 individuals. The bank promptly deployed patches and cybersecurity defenses upon discovery, contained the vulnerability, and offered complimentary credit monitoring and identity restoration services to impacted clients.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 31, 2023, Progress Software Corporation, a vendor to 1st Source Bank, disclosed a previously unknown vulnerability within its MOVEit file transfer software. This software is utilized by thousands of organizations globally for secure data file transfers and became the center of a widespread cybersecurity event impacting numerous entities, including governmental agencies. 1st Source Bank used the MOVEit application for secure file transfers that supported its internal operations and client services. The nature of the vulnerability was such that it could enable malicious actors to gain unauthorized access to sensitive files and information stored within the application.
Upon learning of the vulnerability disclosure from its vendor, 1st Source Corporation, the parent company of 1st Source Bank, promptly initiated a response. The company deployed immediate cybersecurity defenses, which included applying the software patch according to Progress Software's published protocols. The host server containing the MOVEit software was also hardened as a further security measure. An internal investigation was launched in partnership with outside independent cybersecurity forensic experts to determine the scope and impact of the incident. The company also established contact with law enforcement and regulatory authorities as part of its response protocol.
The ongoing investigation determined that an unauthorized third party had exploited this vulnerability to gain access to the MOVEit application. This access resulted in the compromise of sensitive client data belonging to both commercial and individual clients. The acquired information included personally identifiable information, specifically names in combination with Social Security numbers. The breach occurrence was later specified as having taken place on June 1, 2023, which was also the date the breach was discovered by the company. The total number of persons affected by this incident was 450,000, which included 90 residents of the state of Maine.
In response to the confirmed data exposure, 1st Source Bank began notifying its impacted commercial clients and worked directly with them. The process of identifying and directly notifying the impacted individual clients was subsequently initiated. The method of notification for consumers was written correspondence. The date of consumer notification was set for July 14, 2023. As part of the notification and remediation effort, the company offered complimentary credit monitoring and identity restoration services to all impacted individuals. These services were provided by Kroll and included identity monitoring for a duration of twelve months.
The company's investigation remained ongoing, but it confirmed that the specific vulnerability within the MOVEit application had been contained. There was no indication that any other company information systems, beyond the MOVEit application itself, were impacted during this incident. Furthermore, there was no interruption to the company’s systems, services, or business operations as a result of the event. The company also acknowledged an awareness that certain of its other critical vendors may have been impacted by the same widespread MOVEit vulnerability, potentially exposing additional company data processed or stored by those third parties. However, the company had not received any notification confirming such an impact at the time of its filing and stated it would assess and respond to any further impacts as its investigation continued or if notified.
The company undertook an evaluation of the incident's financial impact, including certain remediation expenses and other potential liabilities. Despite the significant number of individuals affected, the company stated it did not believe the incident would have a material adverse effect on its business, operations, or financial results. The incident was reported to the Maine Attorney General's office as required by law, with the submission handled by the bank's legal counsel. The description of the breach was classified as an external system breach due to hacking, with a further specification of ransomware, indicating the possible motive and method of the attacking party. The company also fulfilled its obligation to notify consumer reporting agencies due to the number of affected Maine residents exceeding 1,000.