"Community Bank, which operates in southwestern Pennsylvania, Ohio, and West Virginia, filed an 8-K with the regulator on Monday, saying it launched an investigation into the internal cockup, which remains ongoing. It felt compelled to submit the filing "due to the volume and sensitive nature of the non-public information." This included customer names, dates of birth, and Social Security numbers, but the filing provided no further detail about the incident."
"Community Bank did not specify what this "unauthorized AI-based software application" was or how it was used. However, the disclosure of data such as SSNs, which in the US are generally categorized among the most sensitive types of data that organizations can store on behalf of customers, is protected under several federal and state laws. One possibility is that the data was entered into a generative AI tool outside the bank's approved systems."
"If so, that could raise questions about whether the information was transmitted to a third-party provider and how it may have been retained or processed. The Register asked Community Bank for more details and will update this story if it responds. The bank confirmed that it suffered no operational impact and customers were not prevented from accessing their accounts or payment services as a result."
""The company is evaluating the customer data that was affected and is conducting notifications as required by applicable federal and state laws and regulatory guidance," Community Bank stated in its cybersecurity disclosure. "The company has been, and continues to be, in communication with relevant banking and financial regulators regarding the incident." It also promised to continue its remediation effor"
A US commercial bank filed an 8-K with the SEC after launching an investigation into an internal incident involving customer data entered into an unauthorized AI-based software application. The filing stated the bank acted because of the volume and sensitive nature of non-public information, including customer names, dates of birth, and Social Security numbers. The bank did not identify the specific application or explain how the data was used. The incident raised concerns about whether information was transmitted to a third party and how it might be retained or processed. The bank reported no operational impact and no disruption to customer access to accounts or payment services. It stated it is evaluating affected data, conducting required notifications, communicating with regulators, and continuing remediation efforts.
Read at theregister
Unable to calculate read time
Collection
[
|
...
]