First Horizon, a Memphis, Tennessee-based bank, was hit by a data breach where an unauthorized party obtained login credentials and exploited a vulnerability in third-party security software, the company announced in a SEC filing Wednesday. The compromise allowed attackers to access less than 200 online accounts, steal personal information from the victims and exfiltrate less than $1 million, according to a filing with the Securities and Exchange Commission.
The company discovered the incident during the middle of April and has since fixed the software vulnerability, reset passwords and is working with the customers impacted by the breach to close their accounts and reopen new ones.
First Horizon has reimbursed the funds and notified law enforcement and other appropriate authorities about the breach, according to the filing. Company officials said in the filing they do not expect the breach will have a materially adverse impact on its financial condition or business operations.
The attack highlights the potential risk that financial institutions face when trying to protect customer account data and financial assets.
"Attackers are adept at finding the weakest link," Robert Haynes, SCA and open source evangelist at Checkmarx said via email. "This is most frequently a human, and often results in phishing or spear phishing attacks against IT staff, as their credentials are often most useful to an attacker."
The third-party software vulnerabilities could range anywhere from a VPN vulnerability to a software library that provides one-time passcodes, Haynes said.
Three-quarters of financial institutions, including banks and insurance companies in the U.K. and U.S., faced a rise in cybercrime in the 12-month period after March 2020, when the U.S. lockdown began, according to a report released Wednesday from BAE Systems Applied Intelligence.
"Attackers are building increasingly advanced capabilities to target core banking systems and becoming more aggressive, harming victim’s ability to respond to attacks," said Adrian Nish, head of cyber at BAE Systems Applied Intelligence, as part of the report.
The report shows 56% of U.S. and U.K. banks and insurers had a surge in financial losses related to cyber activity over the last year, averaging about $720,000 per incident.
A separate report from VMware also indicates a surge in cyberattacks against financial institutions, particularly since the COVID-19 pandemic began in early 2020.
The report, based on interviews with 126 chief information security officers from across the globe, shows that 54% of financial institutions experienced destructive attacks against their organization, representing a 118% increase from 2020 figures.
First Horizon National Bank last year merged with Iberiabank, creating a bank with $79 billion in assets and $60 billion in deposits.
Bank officials could not be immediately reached for comment.