Indiana-based 1st Source Bank suffers a MOVEit Transfer hack, loses 450k customers' data

1st Source Bank, a leading financial service company based in South Bend, Indiana, said it suffered a significant data breach as a result of the Clop ransomware group exploiting a zero-day vulnerability in the MOVEit Transfer web application.

Earlier this month, 1st Source Bank disclosed that like hundreds of other organisations, it used the MOVEit Transfer web application to send and receive files securely. After the Clop ransomware gang exploited a zero-day vulnerability in the software, hundreds of organisations around the world have come forward, disclosing that they have suffered significant data breaches exposing the personal sensitive information of their employees.

1st Source Bank said threat actors infiltrated its network on the 9th of July and accessed confidential information of some of its commercial and individual clients. It soon launched an internal investigation with assistance from cyber security experts to understand the nature of the compromised information.

In a filing with the office of the Maine Attorney General, the financial services company said that the sensitive personal information of its clients and employees was compromised as a result of the security incident. The compromised information included names, dates of birth, Social Security Numbers, driver’s license, state identification card numbers, and other government identification numbers.

The filing also confirmed that at least 450,000 individuals were affected by the data breach. 1st Source Bank said it is providing all affected individuals a year of complimentary identity and credit monitoring service through Kroll.

Last week, US-based population research service provider Pension Benefit Information said it suffered a massive data breach as a result of the Clop ransomware group exploiting a zero-day vulnerability in the MOVEit Transfer web application.

According to PBI’s internal investigation, the compromised information included clients’ names, partial mailing addresses, Social Security numbers, and dates of birth. The company clarified that this incident did not affect PBI’s “core systems or software”.

Initially, in a filing with the office of the Maine Attorney General, PBI said that 371,359 individuals were affected by the data security incident. The company later said in a separate filing with the U.S. Department of Health and Human Services Office for Civil Rights that the incident impacted at least 1,209,825 individuals.