Cyber Incident Victim: City National Bank of Florida

On or around May 29, 2023, and continuing through May 30, 2023, City National Bank of Florida experienced a significant external system breach. The incident was characterized as a hacking event that resulted in unauthorized access to the bank's information systems. The breach was not discovered until June 3, 2023, indicating a short period between the initial compromise and its detection. The bank, headquartered at 100 S.E. 2nd St. in Miami, Florida, is a financial services organization, and the incident impacted a substantial number of individuals.

The total scope of the incident was detailed in two separate breach notifications submitted to the Office of the Maine Attorney General. One filing reported that 40,670 persons were affected, including 15 Maine residents. A separate but related filing reported a different set of impacted individuals, numbering 36,306 persons, including 13 Maine residents. The discrepancy between these two figures suggests that the breach involved multiple data sets or that the bank identified additional information compromised after an initial assessment. The specific data acquired by the attackers varied between these groups of affected individuals.

For one group of 40,670 affected persons, the information acquired in the breach consisted of a name or other personal identifier in combination with a financial account number or credit/debit card number. Furthermore, this financial information was compromised in combination with the account's security code, access code, password, or PIN. This combination of data elements significantly increases the potential for fraud and unauthorized financial transactions. For the other group of 36,306 affected persons, the information acquired was a name or other personal identifier in combination with the Social Security Number. The compromise of Social Security Numbers presents a severe and long-term risk of identity theft for the victims.

The bank engaged the legal services of Greenberg Traurig LLP to handle the breach notification process. Notifications were submitted on behalf of the bank by Jena Valdetero, an attorney with the firm. The method of consumer notification was written communication. The dates for notifying consumers occurred on June 30, 2023, and July 21, 2023. The dual notification dates correspond to the two distinct groups of affected individuals and the different types of personal information that were compromised. All affected Maine residents were provided with a copy of the notification letter.

In response to the breach, City National Bank of Florida offered identity theft protection services to all affected individuals. The provider of these services was IDX. The offered services included 24 months of credit monitoring and CyberScan monitoring. CyberScan monitoring typically involves scanning the dark web for an individual's personal information. The protection services also included an insurance reimbursement policy of up to $1,000,000 and fully managed identity theft recovery services. This offering is a standard remedial action intended to help victims detect and recover from any misuse of their personal data following a breach. The bank confirmed that no breach notifications had been issued within the twelve months preceding this incident. The breach did not affect a sufficient number of Maine residents to trigger a requirement to notify consumer reporting agencies.