Cyber Incident Victim: Sound Community Bank
Date:
Apr 2023
Location:
United States of America
Summary
Sound Community Bank experienced a potential data breach when a third-party vendor's MOVEit file transfer tool was exploited by the CL0P ransomware gang. The incident involved the unauthorized access of sensitive customer data, including names, Social Security numbers, account numbers, and online banking information. While the forensic investigation indicated the data was downloaded only once during a valid transfer, it could not be definitively determined if the information was stolen. The bank notified regulators and affected customers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory regarding a CL0P Ransomware Gang exploitation of a zero-day vulnerability in Progress Software Corporation’s MOVEit Transfer software. This previously unknown flaw could enable malicious actors to gain unauthorized access to sensitive files and information. MOVEit is a managed file transfer software used by thousands of organizations and became the subject of a widely reported cybersecurity event impacting numerous financial institutions, federal and local government agencies, and businesses.
Sound Community Bank was notified by one of its trusted third-party vendors on June 13, 2023, that this vendor had used the MOVEit application to transfer the Bank’s customer banking information. The vendor provided certain regulatory compliance and operational support services to the Bank, including account hosting and transaction processing. The Bank itself did not use the MOVEit file transfer system. The specific customer data had been uploaded to the vendor’s MOVEit file transfer site on April 3, 2023. The vendor’s forensic investigation indicated that the Bank’s customer data, pertaining to approximately 16,000 mobile and online banking customers, was downloaded only one time in connection with a valid file transfer request by the Bank. However, it was deemed impossible to definitively determine whether the CL0P threat actors were able to infect that specific transfer with malware and steal the data. To date, there has been no indication that any personal data of the Bank’s customers has been compromised or misused.
The involved data constituted a comprehensive set of online banking information. This included customer names, usernames, addresses, email addresses, account numbers, dates of birth, Social Security numbers, bill pay information, and account history. The Bank confirmed that customer passwords were not included in the file transfer. The vendor disabled its MOVEit transfer tool on May 31, 2023, and kept it offline until it could implement a software patch provided by Progress Software Corporation to remediate the vulnerability. The vendor informed the Bank that it had subsequently rectified the vulnerability that allowed the incident to occur.
Upon being notified, Sound Community Bank initiated its response. The Bank notified law enforcement agencies as well as its primary banking regulators and committed to keeping them informed as the investigation continued. The Bank’s parent company, Sound Financial Bancorp, Inc., disclosed the event in a filing with the Securities and Exchange Commission on July 14, 2023. The company stated it did not currently believe the vendor incident would have a material adverse effect on its business, operations, or financial results, while also acknowledging potential future legal, reputational, and financial risks resulting from the event.
The Bank worked to obtain additional information from the vendor about the data security incident and undertook efforts to notify all potentially affected customers. Notification to customers was not delayed as a result of a law enforcement investigation. In its customer communication, the Bank was transparent about the potential breach and the steps customers could take, though it emphasized it had no indication that banking information was actually taken. The Bank provided a dedicated point of contact for customers, directing them to its Client Service Center or their personal banker for any questions.
As a protective measure for its customers, Sound Community Bank offered a complimentary 24-month membership to a credit monitoring and identity theft protection service called OnAlert™ (Essential Bundle) from ChexSystems®. The enrollment period for this offer was set to expire on December 31, 2023. The features of this service included a single-bureau credit report and score from Experian, credit monitoring from Experian, dark web monitoring, ChexSystems monitoring and alerts, full-service identity restoration assistance, lost wallet assistance, and up to $1 million in identity theft insurance. The Bank’s notification also included extensive reference information guiding customers on how to order free credit reports, place fraud alerts on their credit files, and initiate credit freezes with the three major nationwide consumer reporting agencies: Equifax, Experian, and TransUnion. Customers were also advised to be vigilant by carefully reviewing their account statements for the next 12 to 24 months for any suspicious or unauthorized activity and to contact the Bank immediately if any was detected. Although passwords were not exposed, the Bank recommended customers change their online banking password and update their username to a unique identifier not based on their account number or email address.