Bank customers’ data breached by third party, reports MainStreet

Cyber-crime is a widespread issue that affects many organizations, including community banks like MainStreet Bancshares in the US. Thieves were able to steal customer data by targeting a third-party provider connected to the bank. This incident highlights the vulnerability of supply chain vendors and the risks associated with outsourcing services to third parties.

MainStreet Bancshares, the holding company overseeing MainStreet Bank, disclosed the data breach to the Securities and Exchange Commission (SEC) after becoming aware of the attack in March. By April 28, it was confirmed that approximately 4.65 percent of the bank’s total customer base had their data compromised. While the exact number of affected customers was not publicly disclosed, MainStreet Bank’s financial results indicated significant growth in deposits and revenues in 2024, providing insight into the bank’s scale and operations.

MainStreet Bank, based in Fairfax, VA, operates numerous ATMs and only has six branches across Virginia and Washington DC. The bank also serves over 1,000 businesses through its Put Our Bank in Your Office on-prem banking offering. Despite the data breach, MainStreet Bank assured that its internal technical infrastructure was not compromised, and no unauthorized transactions or transfers occurred. The bank took swift action to investigate and remediate the incident, ceasing all activities with the third-party provider involved in the breach.

While MainStreet Bank was able to contain the impact of the attack and notify affected customers, there is growing concern among US banking bodies about the stringent reporting requirements for cyber incidents. Organizations are advocating for the repeal of regulations like the Item 1.05 rule, which mandates the disclosure of cybersecurity and data security incidents. Since its implementation in December 2023, hundreds of organizations have had to disclose cyberattacks and data breaches, leading to increased scrutiny and pressure on the affected entities.

In an open letter signed by various banking associations, including SIFMA and the American Bankers Association, concerns were raised about the lack of clarity and guidance in reporting cybersecurity incidents. The banking bodies argued that current reporting requirements often result in premature public disclosures and fail to provide investors with actionable information. There is also confusion among banks regarding which section of the regulatory filings they should use to detail data breaches, leading to further challenges in compliance.

The letter proposed a collaborative effort between the SEC and banking institutions to develop a more balanced and effective cyber disclosure regime. By addressing the challenges and complexities associated with reporting cyber incidents, organizations hope to protect investors and facilitate capital formation while minimizing the risks and costs associated with cyber threats. Streamlining reporting processes and enhancing communication channels between regulators and financial institutions is crucial for addressing the growing threat of cyber-crime in the modern banking landscape.