Cyber Incident Victim: Central National Bank
Date:
Mar 2023
Location:
United States of America
Summary
Central National Bank experienced a cybersecurity incident involving unauthorized access to its computer systems, which resulted in a data breach. The compromised customer information included names, addresses, Social Security numbers, driver's license and state identification numbers, and financial account details. Notification letters were subsequently sent to all affected individuals whose sensitive data was accessed by an unauthorized party.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 28, 2023, Central National Bank filed a formal notice of a data breach with the Attorney General of Texas. This filing indicated the bank had recently learned that confidential client data entrusted to it had been leaked following a cybersecurity event. The incident involved an unauthorized party gaining access to the bank's computer system. The information stored on this system was subject to unauthorized access, though the specific technical methods of the attack or initial access vectors were not detailed in the public filing. The bank became aware that a security event had occurred, prompting an immediate internal response.
In response to discovering the unauthorized access, Central National Bank launched a comprehensive investigation into the incident. The primary purpose of this investigation was to determine whether any customer information had been leaked as a direct result of the security breach. The investigation confirmed that an unauthorized party was indeed able to access certain sensitive information that had been provided to the bank by its customers. The investigation process involved a detailed review of the affected files to ascertain the precise nature and scope of the compromised data.
The review of the affected files determined that the breached information varied from individual to individual. The data types accessed by the unauthorized party included consumers' names and addresses. Highly sensitive personally identifiable information was also compromised, including Social Security numbers, driver’s license numbers, and state identification numbers. Furthermore, the unauthorized access extended to financial account information, though the specific types of accounts or exact financial details were not enumerated beyond this broad categorization. The total number of consumers impacted by this data security incident was not disclosed in the Texas Attorney General filing.
Following the confirmation that sensitive consumer data had been made available to an unauthorized party, Central National Bank initiated the process of notifying affected individuals. On March 28, 2023, the same day as the filing with the Texas Attorney General, the bank began sending out data breach notification letters to all individuals whose information was compromised as a result of the incident. These letters served to inform customers about the breach and the specific types of their personal information that were involved.
The immediate consequence of the breach was the exposure of highly sensitive customer information. This exposure placed the affected information into the hands of the criminals who carried out the attack. The compromised data, particularly the combination of Social Security numbers, driver's license data, and financial account information, creates a significant risk for the impacted consumers. Such information is highly valued by cybercriminals and is commonly used to commit identity theft and various other forms of fraud against the victims. The bank's filing did not indicate whether any fraudulent activity had already been detected stemming from this specific incident.
Central National Bank is a financial institution based in Waco, Texas. It operates four physical branch locations within the state, serving areas including Austin, Waco, and Temple. The bank provides a traditional suite of financial services to both individual and corporate clients. These services include checking and savings accounts, personal loans, business loans, home mortgages, credit cards, and merchant services. The institution employs more than 72 people and generates approximately $12 million in annual revenue. The data breach incident affected the computer systems holding customer data for this financial entity.
The public disclosure of the event was made through the legal requirement of filing with the Texas Attorney General. This filing constitutes an official acknowledgment of the data security incident. The bank's public communications, as reflected in the legal notice, focused on the steps taken after the discovery of the breach, namely the investigation and the consumer notification process. The narrative provided by the bank describes a sequence of events beginning with the discovery of unauthorized access, leading to an investigation that confirmed data exposure, and culminating in the notification of affected parties. The specific timeline between the initial cybersecurity event and the bank's discovery of it was not publicly disclosed. Similarly, the duration of the unauthorized access within the system prior to detection was not specified in the available information. The containment measures undertaken by the bank to secure its systems following the incident were also not detailed in the public filing. The response appears to have been focused on determining the scope of the data loss and fulfilling regulatory and legal obligations to inform state authorities and customers. The incident represents a significant data security event for a regional financial institution, potentially impacting an unknown number of its customers whose personal and financial information was exposed.