The information of 50,000 clients for Orrstown Bank, located in Pennsylvania and Maryland, was exposed by outside sources, the bank says. Two employees at the bank fell victim to a phishing attack which targeted the bank. The incident occurred on July 19th and affected anybody who had information that was accessible through email accounts. The security team at the bank said they immediately shut off the compromised accounts and terminated access by those accounts. None of the bank’s other systems besides email was affected, and the bank hired a forensic team to determine what information was actually taken–though they did not release it publicly. Orrstown bank stated that not all of their customers were affected, but those who were will be offered free credit monitoring. There is no evidence at this point that the information is for sale or being misused, but some threat actors will wait months or years before attempting to use the stolen information. The bank also stated they are enhancing their training programs for security with their employees. This breach is another example of employee negligence resulting in major problems for the company and demonstrates how proper security training can save millions in lost data and customers.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is