Community Bank reports data breach after employee shares customer info with unauthorized AI app

US bank discloses security lapse after sharing customer data with AI app | TechCrunch

Community Bank, which operates in Pennsylvania, Ohio, and West Virginia, disclosed a cybersecurity incident that exposed customers' names, dates of birth, and Social Security numbers. In an 8-K filing dated May 7 with the U.S. Securities and Exchange Commission, the bank said it detected an exposure of customers' personal data due to the use of "an unauthorized artificial intelligence-based software application." The bank said it disclosed the incident "due to the volume and sensitive nature of the non-public information at issue." It's unclear exactly what happened, but based on the language in the filing, it appears someone working for Community Bank may have uploaded customer data to an online AI chatbot, potentially exposing that information to the chatbot maker. While Community Bank did not disclose how many customers were affected by the incident, nor what AI application was involved, the company said it is "evaluating the customer data that was affected" and is sending notifications in accordance with relevant laws. Community Bank's chief executive John Montgomery did not immediately respond to TechCrunch's request for comment.

US bank reports itself after slinging customer data at 'unauthorized AI app'

A US commercial bank just tattled on itself to the Securities and Exchange Commission (SEC) for plugging a bunch of customer data into an unauthorized AI application. Community Bank, which operates in southwestern Pennsylvania, Ohio, and West Virginia, filed an 8-K with the regulator on Monday, saying it launched an investigation into the internal cockup, which remains ongoing. It felt compelled to submit the filing "due to the volume and sensitive nature of the non-public information." This included customer names, dates of birth, and Social Security numbers, but the filing provided no further detail about the incident. Community Bank did not specify what this "unauthorized AI-based software application" was or how it was used. However, the disclosure of data such as SSNs, which in the US are generally categorized among the most sensitive types of data that organizations can store on behalf of customers, is protected under several federal and state laws. One possibility is that the data was entered into a generative AI tool outside the bank's approved systems. If so, that could raise questions about whether the information was transmitted to a third-party provider and how it may have been retained or processed. The Register asked Community Bank for more details and will update this story if it responds. The bank confirmed that it suffered no operational impact and customers were not prevented from accessing their accounts or payment services as a result. "The company is evaluating the customer data that was affected and is conducting notifications as required by applicable federal and state laws and regulatory guidance," Community Bank stated in its cybersecurity disclosure. "The company has been, and continues to be, in communication with relevant banking and financial regulators regarding the incident." It also promised to continue its remediation efforts, take action to prevent future failures, and gave the "we're committed to protecting customers' data" line that always goes down so well. ®