Cyber Incident Victim: Financial Institution Service Corporation

On May 31, 2023, Financial Institution Service Corporation discovered a data breach that had occurred the previous day. The incident was identified as an external system breach resulting from a hacking event. The specific cause was a third-party event involving the MOVEit Transfer software. This breach resulted in the unauthorized acquisition of sensitive personal information belonging to a total of 753,261 individuals. Among those affected, 64 were identified as residents of the state of Maine. The compromised data included names or other personal identifiers in combination with financial account numbers or credit and debit card numbers. Furthermore, this financial information was compromised in combination with security codes, access codes, passwords, or PINs for the associated accounts, significantly increasing the potential risk of fraud and identity theft for the impacted individuals.

The breach was formally reported to the relevant authorities by Greg Souther, the Senior Vice President of Financial Institution Service Corporation. The organization, a financial services entity, is physically located at 500 Pavilion Road in West Monroe, United States, with the zip code 71292. The point of contact for the incident was provided as Greg Souther, with a telephone number of 318-651-4613 and an email address of [email protected]. His relationship to the entity whose information was compromised was confirmed as its Senior Vice President. The discovery of the breach on May 31, 2023, immediately followed its occurrence on May 30, 2023, indicating a swift initial detection of the security event.

In response to the incident, Financial Institution Service Corporation opted to provide written notification to all affected consumers. The notifications were scheduled to be sent out on September 22, 2023, nearly four months after the breach was discovered. This delay between discovery and notification is typical for extensive forensic investigations to fully determine the scope and impact of a cybersecurity incident. A copy of the notice intended for affected Maine residents was filed with the state's authorities under the title "Financial Institution Service Corporation - Notice of Data Event - ME.pdf". The entity confirmed that this was its first such breach notification within the preceding twelve-month period.

As a remedial measure to assist the victims, Financial Institution Service Corporation offered comprehensive identity theft protection services to all affected individuals. The provider of these services was the firm Kroll. The offered services included both identity monitoring and restoration services, designed to help individuals detect any fraudulent use of their information and to provide support in recovering their identities if theft occurred. The duration of this protection coverage was set for a period of twelve months from the time it was activated by each consumer. This offering is a standard practice in the industry to mitigate the potential harm caused by the exposure of highly sensitive financial and personal data.

The scale of the breach, affecting over three-quarters of a million people, underscores the significant impact of vulnerabilities within third-party software systems. The MOVEit Transfer platform is a widely used tool for secure file transfers, and the event impacting Financial Institution Service Corporation was part of a broader series of attacks exploiting a zero-day vulnerability in the software. This pattern indicates a sophisticated and coordinated attack campaign targeting numerous organizations that utilized this specific software to handle sensitive data. The attackers leveraged this vulnerability to gain unauthorized access to systems and exfiltrate data stored within them.

The specific actions taken by Financial Institution Service Corporation to contain the breach upon discovery were not detailed in the public notification. However, standard incident response procedures for such an event typically involve immediately isolating the affected systems to prevent further unauthorized access, engaging cybersecurity forensic experts to investigate the extent of the compromise, and notifying law enforcement agencies. The forensic investigation would aim to determine the precise entry point used by the attackers, the data accessed and exfiltrated, and whether the threat actor's access was fully eradicated from the network.

The consequences of this breach are severe due to the nature of the data involved. The combination of names, financial account numbers, and the accompanying authentication credentials such as PINs or security codes provides malicious actors with all the necessary components to commit financial fraud directly. Affected individuals faced an elevated risk of unauthorized transactions on their accounts, new account fraud, and other forms of identity theft. The provision of credit monitoring and identity restoration services was a direct response to these tangible risks, intended to provide a safety net for consumers.

The delay in consumer notification, from the end of May until late September, reflects the complex and time-consuming process of conducting a thorough forensic investigation. This process involves analyzing system logs, understanding the data structures within the compromised MOVEit system, and meticulously identifying every individual whose information was stored in the affected files. This painstaking work is necessary to provide accurate and complete information to those impacted and to comply with various state regulations that mandate notification only after a confirmation of the breach's scope.

The entity involved, Financial Institution Service Corporation, operates within the financial services sector, which handles some of the most sensitive categories of personal data. This incident highlights the ongoing cybersecurity challenges faced by financial institutions, particularly those arising from dependencies on third-party vendors and software. A breach in a supplier's system can directly compromise the primary institution's data, transferring the risk and necessitating a coordinated response. The compromise of such a large volume of records demonstrates the attractive nature of financial data to cybercriminals and the persistent threats facing the industry.

This incident was reported to the Maine Attorney General's office as required by state law due to the number of affected Maine residents crossing the reporting threshold. The report serves as a public record of the event and the organization's response. The structured information provided includes the total number of persons affected, the number of state residents impacted, the date of the breach, the date of discovery, a description of the breach type, the categories of information acquired, and details on the notification and mitigation efforts undertaken. This transparency is a key component of regulatory compliance following a significant data security event.