Piscataqua Savings Bank customer information snared in worldwide MOVEit data breach
PORTSMOUTH — An undisclosed number of deposit account holders at Piscataqua Savings Bank have had personal information exposed after a third-party vendor was breached this spring.
In response the bank has offered credit monitoring services to its members and is urging them to stay vigilant of activity on their accounts.
The Pleasant Street bank, open since April 1878, was alerted this summer that some clients’ information - specifically their names, Social Security numbers, dates of birth, and account numbers - was involved in a worldwide data breach affecting the government, technology, and healthcare industries.
“A file transfer software, the MOVEit Transfer application, used by thousands of companies across the world and multiple industries including government, healthcare finance and technology companies was compromised by a Russian hacking group,” the bank reported.
The MOVEit file transfer system was developed by Progress Software Corporation and was attacked over a few days in late May. The Russian hacking group reportedly responsible for the breach is CL0P Ransomware Gang, according to the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
Customers’ information was accessed through a file sent to the New Hampshire Department of Child Services, a protected file required by the state to be sent every month. The vendor used by Piscataqua Savings Bank to initiate the processing of transactions was impacted by the incident, per the bank.
“Although the file was encrypted in transit, the attacker had elevated authority to extract and decrypt the file,” the bank notes.
Antone Cabral, senior vice president and senior information technology officer at the bank, declined to specify how many clients of the bank were exposed in the data theft. He emphasized that the bank itself did not experience its own data breach and wasn’t targeted directly.
The bank has assured that no customers’ online banking usernames or passwords were accessed in the attack.
“It was sent in the manner that it should have been,” Cabral said of the bank’s file. “It was encrypted and sent securely. Everything was done properly.”
Piscataqua Savings Bank was notified of the breach’s impacts on the bank on Aug. 3, according to the financial institution. Account holders were notified of the incident in an Aug. 23 letter, with the bank sending a subsequent letter to clients in mid-October.
The bank had never been involved in a data breach before or been specifically targeted by hackers, Cabral said.
“That was the tough thing about this breach,” he said. “This was out of our control.”
In the wake of the breach, the bank has partnered with Kroll, an identity monitoring service, to offer free assistance to Piscataqua Saving Bank customers for the next two years. Enrollment credentials to Kroll’s services have been sent to the bank’s customers.
“Regardless of whether you elect to activate the identity monitoring service, we strongly recommend that you remain vigilant and regularly review and monitor all your credit history to guard against any unauthorized transactions or activity,” the bank wrote in its Oct. 19 letter to customers. “We also recommend that you closely monitor your account statements and notify us or any other of your financial institutions if you suspect any unauthorized activity.”
Kroll’s services for Piscataqua customers will include credit monitoring, fraud consultation and identity theft restoration, the bank shared. The credit monitoring service is only available to adults aged 18 or older.
Cabral reiterated that all Piscataqua Savings Bank account holders should be watchful of their account activity now and in the future.
“It’s hard to keep your information secure and it’s more about what you're going to do when this happens," Cabral said. “Make sure to have a plan.”
This article originally appeared on Portsmouth Herald: Piscataqua Savings customer information snared in global data breach
