PwC data breach compromised the data of 82k Banco Popular de Puerto Rico customers

Puerto Rico’s largest bank, Banco Popular de Puerto Rico, said it suffered a data breach after auditing firm PwC became a victim of the exploitation of a zero-day vulnerability in the MOVEit Transfer web application.

In a recent filing with the Office of the Attorney General of Maine, the Puerto Rican bank said that one of its vendors, PricewaterhouseCoopers (PwC), used the MOVEit software to send and receive files securely, including some of the bank’s data. The security incident that PwC suffered had a cascading effect on the bank’s operations.

“As a public corporation that trades in the stock market, Popular is required to use the services of an auditing and accounting firm such as PwC. The job of auditing Popular requires, due to its nature, that Popular share client information so that PwC can perform certain independent validations necessary for Popular to issue financial statements,” the bank explained.

The security incident that PwC suffered had a cascading effect on Popular that resulted in certain sensitive data of a limited number of the bank’s customer being accessed by the threat actors.

“Upon learning of the incident, PwC immediately launched an investigation and ceased using the impacted software.  As a result of this investigation, it was determined on July 24th, 2023, that certain of the files compromised in the incident included personal information of our customers,” Banco Popular de Puerto Rico said.

According to the bank, the compromised information includes customers’ names, social security numbers, mortgage loan numbers, and other mortgage-related data. The filing with the Attorney General’s office also confirms that at least 82,217 customers of Popular were impacted by the incident.

The bank is providing two years of complimentary credit monitoring and identity protection services to all individuals who have been affected by the incident.

In June, PwC acknowledged that it suffered a data breach, stating that it was among hundreds of organisations globally that were affected by the exploitation of a zero-day vulnerability in the MOVEit Transfer web application.

In a statement shared with the media, a PwC spokesperson said, “Our investigation has shown that PwC’s own IT network has not been compromised and that MOVEit’s vulnerability had a limited impact on PwC.”