Limestone data breach exposes 50K customers


Limestone bank in the US has disclosed a data breach exposing some 50,000 customers’ personal details, including financial account and credit card numbers.

In a letter of notification sent to affected clients on September 15th, Limestone said it had “identified unusual activity involving an employee’s email account” that prompted it to launch an inquiry.

ADVERTISEMENT

Another notification issued to the state of Maine, which imposes strict reporting requirements on organizations suffering cyberattacks that affect its residents, placed the total number of victims at 47,590. The vast majority of these resided in other parts of America.

A cybersecurity contractor hired to investigate confirmed “evidence of unauthorized access to one employee email account.” The unknown threat actor appears to have had control of the breached account between November 21st and March 23rd this year.

Sensitive data exposed during the breach includes financial account and credit or debit card numbers along with security and access codes, passwords, and account PINs.

Threat actors often gain purchase during cyberattacks by targeting one point of entry in a target’s computer systems, using this to infiltrate other parts of the network in a process sometimes referred to as lateral movement.

Shortly before a merger with People’s Bancorp on April 30th, Limestone’s assets were valued at $1.5 billion, with total issued loans of $1.1 billion and total deposits of $1.2 billion. The merged entity is now known as People’s Bank, though as the breach occurred before the merger it would appear that only customers of Limestone were affected.

Limestone has offered victims a year of free credit monitoring, fraud consultation and identity theft restoration services, and set up a toll-free call center to answer questions.

ADVERTISEMENT