Cyber Incident Victim: First Commonwealth Bank

On or around May 31, 2023, First Commonwealth Financial Corporation, through its wholly-owned subsidiary First Commonwealth Bank, received written notice from a prominent third-party financial institution vendor. This notice informed the Bank that a security incident had occurred involving the vendor's service offering. The incident targeted a zero-day vulnerability within the MOVEit file transfer application, which the vendor utilized to provide services to the Bank. The vendor's notification indicated that data specific to certain First Commonwealth Bank customers was likely obtained as a result of this security breach. This event is referred to as the Vendor Incident.

Based on the initial investigation conducted by the vendor and the Bank, it was determined that the likely impacted individuals were certain customers of First Commonwealth Bank who used debit cards. The personal information belonging to these customers was copied during the exploitation of the MOVEit vulnerability. The vendor confirmed that it had implemented the recommended patches released by Progress Software, the developer of the MOVEit platform, in response to the discovered vulnerability. The patching action was taken to secure the system against further exploitation following the disclosure of the zero-day flaw.

First Commonwealth Bank engaged with the vendor to determine the specific scope of the impact, working to identify which customers were potentially affected and to ascertain the exact extent of the personal information that was potentially exposed. This collaborative effort was focused on understanding the breadth of the data compromise. Following this identification process, the Bank undertook measures to notify all potentially affected customers appropriately. The method and content of these notifications were tailored to inform customers about the potential exposure of their personal data due to the Vendor Incident.

An important finding from the initial investigation was that there was no indication the Vendor Incident had any impact on First Commonwealth Bank's own internal information systems. The bank's infrastructure, including critical systems and customer access credentials such as online banking passwords, remained secure and uncompromised. The incident was isolated to the vendor's environment and its MOVEit application. Consequently, there was no material interruption to the Bank's day-to-day business operations; customer accounts remained accessible, and financial services continued without disruption.

As a result of the incident, First Commonwealth Financial Corporation incurred certain expenses related to its response. These costs were associated with the efforts to remediate the situation and investigate the matter fully. The company acknowledged that it may continue to incur additional expenses in the future as a result of the Vendor Incident. The financial impact includes costs for customer notification, credit monitoring services for affected individuals, legal fees, and other investigative and remedial measures. The full scope of these costs was still being evaluated at the time of the report.

First Commonwealth remains subject to significant risks and uncertainties stemming from the incident. The primary risk involves the nature of the personal data that was accessed and copied. While the exact data elements were not fully detailed, the compromise of customer personal information typically carries the risk of identity theft, fraud, and financial loss for those individuals. This exposure also creates reputational risk for the Bank and its parent company, potentially affecting customer trust. Furthermore, the company faces potential regulatory scrutiny from both state and federal authorities regarding its data protection practices and its oversight of third-party vendors. Such incidents often lead to examinations by regulatory bodies to determine compliance with privacy and security regulations.

The potential for litigation is another direct consequence acknowledged by First Commonwealth. Security and privacy incidents of this nature have previously led to legal action, including class-action lawsuits filed on behalf of affected customers. These lawsuits can allege negligence, failure to protect sensitive data, and other claims, seeking monetary damages. The company is in the process of evaluating its potential legal exposure and any liabilities that may arise from the Vendor Incident. This evaluation includes assessing the extent of insurance coverage that may be available to offset some of the costs and any contractual indemnification clauses that might exist in the agreement with the vendor.

The ongoing investigation into the Vendor Incident is a key activity for First Commonwealth. The company is committed to understanding the complete scope and impact of the event. This process involves a detailed forensic analysis to confirm precisely what data was exfiltrated and which specific customers are impacted. The evaluation also includes a review of the vendor's security practices and the circumstances that led to the successful exploitation of the MOVEit vulnerability within their environment. The findings from this investigation will inform the company's future risk management and vendor oversight strategies.

In its public filing, First Commonwealth included forward-looking statements cautioning that the full understanding of the incident's impact may evolve. The company noted that its ongoing investigation could reveal additional information related to the Vendor Incident and the MOVEit vulnerability. This means that the number of affected customers or the type of information exposed could be broader than initially understood. The company's final assessment of the costs, operational impact, and legal and regulatory consequences may change as more information becomes available during the investigation. The situation remains dynamic, and the company's understanding of the incident's ramifications is still developing.