Cyber Incident Victim: MainStreet Bancshares
Date:
Mar 2025
Location:
United States of America
Summary
MainStreet Bancshares disclosed that a third‑party vendor supporting its core banking platform suffered a breach that exposed personal data of a small portion of its customers. The company said its own systems were not compromised, no unauthorized transactions or fund transfers occurred, and it notified regulators, provided affected customers with monitoring tools, and ceased further work with the vendor. It characterized the incident as having no material impact on operations, financial condition, or reputation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March2025, MainStreet Bancshares, Inc. received notification that an outside vendor supporting its core banking platform had suffered a security breach. The company promptly activated its incident response protocol to investigate the scope and potential consequences of the vendor compromise. By April 28, 2025, after completing an internal review, MainStreet determined that the vendor’s compromised environment contained personally identifiable information belonging to roughly 4.65 percent of its customer base, which the bank described as a small subset. The review also confirmed that MainStreet’s own information technology systems and networks remained uncompromised, that no unauthorized transactions had been processed, and that no funds had been transferred to unknown parties. Consequently, the bank ceased all further activity with the affected vendor while continuing to allow customers to conduct normal transactions. On May 26, 2025, MainStreet established additional monitoring measures and notified the impacted customers, providing them with tools to watch for any suspicious activity. The company also informed the appropriate regulators of the incident as part of its disclosure obligations.
MainStreet Bancshares reported that the incident did not produce a material effect on its operations, financial condition, results of operations, reputation, or future prospects, and it does not anticipate any such impact moving forward. The bank holds approximately $1.9 billion in deposits and recorded a net income of $2.5 million in the most recent quarter, contrasting with a net loss of $9.98 million in 2024. Although the bank’s systems were not breached and no money was stolen, the disclosure coincided with a letter from five major banking associations urging the SEC to repeal its cyber incident reporting rule, arguing that the requirement creates unnecessary burdens and can be exploited by threat actors. MainStreet’s filing noted that the incident had not been deemed material under the rule, aligning with the broader trend where only a minority of similar filings have identified material consequences. The bank emphasized that customers remained able to execute transactions without interruption throughout the response period.