The fallout from a security vulnerability in commonly used file transfer software continues for the financial industry. Since
The latest example is Fiserv and Flagstar Bank, which together suffered one of the largest data breaches stemming from the vulnerability. The bank notified
A spokeswoman for Flagstar Bank said the bank, after learning about the breach from Fiserv, "took immediate action" to ensure Fiserv launched an investigation into which bank customers were affected by the data breach and that Fiserv "remediated all technical vulnerabilities and patched systems in accordance with the MoveIt software provider's guidelines."
In May, ransomware group Cl0p began exploiting a since-patched vulnerability in file-transfer software MoveIt to steal data from thousands of organizations,
Some of the banks that have newly reported that their data had been compromised did not even use MoveIt software directly. Rather, they had their data stolen because of a breach at a third-party provider using MoveIt.
For example, compliance tech company Sovos has reported to the state attorneys general of
There are
A spokeswoman for Patelco Credit Union emphasized that Sovos suffered a breach and that the incident was not a result of a breach at the credit union. She also noted that Sovos immediately took the steps necessary to remediate the breach.
A security breach that left 24 million mortgage documents unprotected on a server is rekindling concerns about the risks posed by fourth parties.
Despite the multiple institutions whose data got caught up in the Sovos breach, there have been larger breaches stemming from the MoveIt vulnerability, the largest of which, to date, affected Maximus, a government services company.
The third largest MoveIt breach by Emsisoft's counting involved the personal data of customers of Alogent, a deposit automation company. Alogent
In a similar example, professional services company Ernst & Young
A third example in this mold involved First National Bankers Bankshares and BOM Bank. In
Some breaches do not appear to have involved customer data. For example, the Vermont Department of Financial Regulation disclosed in August that 43 companies (mostly insurers) had notified the state regulator of MoveIt-related breaches. Bank of Burlington appeared on that list, but
The following U.S. banks and credit unions have also notified customers of data breaches stemming from the MoveIt vulnerability, or made a regulatory filing disclosing such a breach. Some banks noted that their systems were not compromised but rather that the breach stemmed from a third party's use of MoveIt.
Aloha Pacific Federal Credit Union AmeriServ Financial Bank Bank OZK BankGloucester BankNewport Chevron Federal Credit Union Dow Credit Union Enterprise Bank First Farmers Bank & Trust First Fed Bank First National Bank of Omaha Horizon Bank Leader Bank Lincoln Savings Bank M&T Bank Corporation Mauch Chunk Trust Company MidFirst Bank Northern Bank and Trust Park National Bank Primis Bank Space Coast Credit Union Stockman Bank University Federal Credit Union Valley Bank
While few banks have publicly acknowledged MoveIt-related breaches on their website, one exception is Pacific Premier Bank, which was among the banks affected by the Sovos breach.
Pacific Premier