Hatch Bank Hacked: 140,000 Social Security Numbers Stolen by Cybercriminals

Hatch Bank, a digital-first bank that offers an infrastructure for fintech businesses’ own branded credit cards, has announced a data breach that resulted in the loss of over 140,000 client Social Security numbers. The bank revealed that hackers took use of a zero-day vulnerability in Fortra’s internal file transfer software, which supplies GoAnywhere software for secure file transfers.

The vulnerability in Fortra’s GoAnywhere software was discovered on February 2, when security reporter Brian Krebs revealed details of the company’s security warning, which had previously been buried behind a login screen. Meanwhile, the infamous Clop ransomware group has claimed responsibility for exploiting the CVE-2023-0669 zero-day vulnerability to steal data from over 130 businesses. Hatch Bank became the second known victim of the zero-day vulnerability after Community Health Systems, one of the major healthcare providers in the United States, reported becoming a victim of the same zero-day issue.

Hatch Bank Hacked: The Details of How Hatch Bank Data Breach Occurs?

According to the data breach warning submitted by Maine’s attorney general, the attackers used a flaw in Hatch Bank’s GoAnywhere system to acquire the names and Social Security numbers of roughly 140,000 clients, including 630 Maine residents. Fortra discovered the vulnerability in its GoAnywhere software on January 29, according to Hatch Bank, but did not alert the bank until February 3, one day after Krebs published on the security problem. Fortra did not reply to inquiries from TechCrunch.

On January 30 to January 31, the hackers obtained unauthorized access to Hatch Bank’s account. After the incident, the bank took immediate steps to safeguard its data and began a thorough analysis of pertinent files to identify the amount of information that may have been damaged. Hatch Bank has also notified federal authorities. The bank is providing free credit monitoring services to people affected by the hack and is trying to create new internal measures. In addition, the bank has begun to provide cybersecurity training to its workers.

The full scope of the GoAnywhere vulnerability’s ramifications is unknown, but Clop’s assertions imply that many more victims have yet to come forward. Security experts have connected the issue to an earlier zero-day flaw that affected Accellion’s legacy file transfer appliance (FTA) and was exploited to breach several businesses, including Qualys, Shell, the University of Colorado, Kroger, and Morgan Stanley.

The Steps Necessary for Hatch Bank Data Breach: Cyber Security Measures!

These are the few cyber security measure that Hatch Bank need to follow to mitigate the Hatch Bank data breach:

• The bank has to endeavor to limit the hacker’s access to vital information and prevent additional harm. This might include turning down impacted systems, changing passwords, or blocking IP addresses.
• The bank needs to identify the scale of the incident, how it occurred, and what data was exposed.
• Depending on the nature of the breach, the bank may be compelled to notify impacted customers and regulatory agencies.
• To assist safeguard impacted clients from identity theft or other kinds of fraud, the bank may offer credit monitoring or other services.

What Can Customers Do To Protect Their Personal Information And Prevent Identity Theft After A Data Breach? Customer Data Privacy!

Every firm can have a data breach; therefore, it’s important to be proactive in protecting your personal information and data. Fortunately, you don’t have to be a computer expert to protect yourself from cybercrime and identity theft. To keep your information safe after a data breach, use these measures and best practices.

Employ strong passwords: For each account, choose a unique and secure password that includes upper and lower case letters, numbers, and symbols. Use simple words or sequences, such as “password” or “1234”, or personal information, such as your child’s name. If you’re concerned about losing or forgetting your passwords, purchase a reputable password manager. Password management programs can assist you in creating strong passwords and auto-filling them when needed.

Examine your credit reports: Examine your credit report on a frequent basis to check that no new loans or credit cards have been issued in your name falsely. Each of the three main credit bureaus — Equifax, Experian, and TransUnion — provides consumers with one free credit report each year. You may request them both together or individually at any time. Receiving one credit report every four months from a different reporting agency is an excellent method to keep track of your credit throughout the year. You may also sign up for free credit monitoring through a credit bureau or a third-party business.

Verify your transactions, bank accounts, and financial account statements regularly. Check that you have fraud alarms set up. These services alert customers when there are questionable transactions or activity on their accounts.

Use utmost caution while clicking links or downloading things from the internet. Several scams are perpetrated by cyber criminals impersonating reputable persons or institutions, such as friends, family, banks, or the government. If you get an unexpected link or file, contact the organization, friend, or family member immediately to check the message is genuine.

What Are the Legal Obligations of Hatch Bank under Data Protection Laws?

Hatch Bank, as a financial institution, is subject to a variety of data privacy rules that govern the acquisition, use, storage, and sharing of personal information about its customers and staff. Hatch Bank’s legal duties under data protection legislation include the following:

• Data Protection Principle: Hatch Bank shall adhere to the data protection standards outlined in applicable data protection legislation. These principles include the need to treat personal data properly and legally, acquire only relevant and essential data, keep it correct and up to date, and use it exclusively for particular reasons.
• Security: Hatch Bank shall maintain the security and confidentiality of personal data by putting in place adequate technical and organizational safeguards to prevent unauthorized access, disclosure, modification, or destruction.
• Data Breach Notification: Hatch Bank shall notify the applicable data protection authorities and impacted data subjects in the event of a data breach that may affect an individual’s rights and freedoms.
• Data Transfer: Hatch Bank must guarantee that whenever it transmits personal data to a third country or an international organization, the receiving country or organization offers an acceptable degree of protection for personal data.

How Can Banks Prevent Themselves from Data Breach? Protective Cyber Security Measures!

To secure sensitive data, banks must take a 360-degree approach to ensure that a data breach does not occur internally or externally. This entails safeguarding both the customer-facing and internal banking procedures connected to workers, vendors, technology, and processes. Following are some cyber security measures that your bank should take into account to prevent future hacks:

• Authentication
• Audit Trails
• Secure Infrastructure
• Secure Processes
• Continuous Communication
• Establishment of enterprise-wide security policy
• Implementation of logging and monitoring
• Creation of a disaster recovery plan
• Data Encryption
• Implementation of multi-factor authentication

Few Final Thoughts

This blog is aimed to provide information on hatch bank data breaches where 140,000 Social Security Numbers were Stolen by Cybercriminals. We have elaborated on how the hatch bank data breach occurred. Moreover, we also mentioned the legal obligations of Hatch Bank under data protection laws. By the end of this blog, you will also be able to know the cyber security measures that bank needs to take to prevent such hacks in the future.