Cyber Incident Victim: Horizon Bank

On July 12, 2023, Horizon Bank received written notice from an unnamed third-party vendor that provides services to many prominent financial institutions. This notification informed the bank that its customer data was included in a global cybersecurity incident involving Progress Software's MOVEit Transfer file transfer software. This software is deployed by government agencies and corporations worldwide. The initial discovery of the incident was made by the vendor, not by Horizon Bank internally. The bank's immediate priority was to confirm that its own internal network and IT systems were not compromised. Communication with the vendor confirmed that Horizon Bank's internal infrastructure was not involved in the breach; the incident was entirely contained within the vendor's environment.

The investigation into the incident determined that an unauthorized third party did gain access to personally identifiable information of select Horizon Bank consumer clients. This unauthorized access occurred on or about May 30, 2023. The accessed information was contained within files on the third-party vendor's MOVEit Transfer system. The bank worked with the vendor to identify the specific customers impacted and to determine the exact extent of the information that was exposed. The analysis confirmed that the information accessed was limited in scope. It included customer name, account number, and an outdated balance. The bank specifically confirmed that more sensitive customer information was not contained in the accessed files. This excluded data included Social Security numbers, birthdates, online banking credentials, and debit card numbers. The bank characterized the volume of exposed data as being less than what is typically contained on a personal check.

In response to the vendor's notification, Horizon Bank confirmed that the vendor had implemented the recommended patches released by Progress Software for the MOVEit platform. This action was taken by the vendor to remediate the vulnerability that was exploited in the global attack. Beyond the specific vendor involved, Horizon Bank proactively engaged its other critical vendors that may have also been impacted by the same MOVEit software vulnerability. As of the date of the customer notification, August 10, 2023, the bank had not received any additional notifications from other vendors regarding further impacts, but it committed to continuing to assess and respond to any potential future impacts.

The primary impact of the incident was the unauthorized access and exposure of personal information belonging to a subset of Horizon Bank's consumer clients. The compromised data fields were name, account number, and an outdated account balance. The bank assessed that the absence of highly sensitive data like Social Security numbers or financial credentials significantly reduced the immediate risk of identity theft or direct financial fraud for the affected individuals. However, the exposure of names and account numbers was still deemed a risk that warranted customer notification. The incident did not impact the bank's internal operations, its network, or its IT systems, as the breach was confined to the third-party service provider's systems.

Horizon Bank's response was focused on customer communication and guidance. The bank issued a detailed notification letter to affected customers dated August 10, 2023. This letter outlined the nature of the incident, the specific data involved, and the actions the bank and its vendor had taken. The notification emphasized that the breach was part of a larger global event and was not targeted specifically at Horizon Bank or its customers. The bank provided a dedicated telephone number, (888) 873-2640, for customers to call with any assistance or questions regarding the incident. Furthermore, the bank provided recommendations for customers to protect themselves, though these were presented as general guidance rather than steps specific to the breach.

The guidance offered to customers included advice to remain vigilant over the next 12 to 24 months and to carefully review account statements for any suspicious activity, reporting any findings immediately to the bank. Customers were encouraged to utilize online banking to monitor transaction activity regularly and to set up alerts for notifications of balance changes, invalid logins, and authorized transfers. The bank also directed customers to its Online Security Center at www.horizonbank.com/privacy-and-security for information on fraud prevention and monitoring credit with the three major credit reporting agencies. A link to the Federal Trade Commission’s website on identity theft protection was also provided.

The notification also included specific information for residents of certain states, in compliance with various state laws. For Illinois and North Carolina residents, the contact details for the Federal Trade Commission were provided. For residents of Illinois, Massachusetts, New Mexico, and North Carolina, the contact information for the three major consumer reporting agencies—Equifax, Experian, and TransUnion—was listed. Massachusetts residents were informed of their right to obtain any police report filed in regard to this event and were provided with detailed instructions on how to request a security freeze on their credit reports at no charge. New Mexico residents were provided with a summary of their rights under the Fair Credit Reporting Act. New York residents were given contact information for the New York Attorney General’s Office, and North Carolina residents were provided with contact information for the North Carolina Attorney General’s Office. The incident was assigned data breach number 30263 by the state of Massachusetts.