FocusIT Data Breach, August 2022
On August 18, 2022, Josh Bopp, President of FocusIT communicated to Chris Oswald, E.V.P.-Chief Operations Officer/Information Technology (IT) Security/Compliance Officer, of a breach occurrence impacting the hosted customer database of the Farmers and Merchants Bank Mortgage Division on August 2, 2022. FocusIT is a third-party vendor of the Farmers and Merchants Bank’s Mortgage Division responsible for hosting the Calyx Point mortgage origination and loan processing software application. FocusIT was notified by the Texas Financial Crimes Intelligence Center on August 2, 2022, that an unknown threat actor(s) potentially compromised a third party system, Hightail, Inc. affecting the secure database records hosted by FocusIT.
FocusIT contracted Arete, a cybersecurity forensics firm, to perform a comprehensive investigation and review of the reported breach occurrence. Arete completed their cyber forensics investigative review of FocusIT computer systems & applications on August 21, 2022. Their review indicated on Monday, July 25, 2022, a threat actor(s) posted & displayed login credentials of a FocusIT employee, possibly compromised through a phishing email, on the dark web for $ 300 in payment. The Texas Financial Crimes Intelligence Center and FocusIT contacted a “Russian speaking, threat actor” and negotiated payment to receive the database records. Josh Bopp, President and Arete, could not determine if others purchased the database records from the displayed FocusIT login credentials.
Arete, concluded their investigation that there was no definitive, identified source of the compromise of FocusIT login credentials or a breach occurrence at Hightail, the third-party vendor, previously contracted by FocusIT to securely exchange hosted database records in the Calyx Point software application between client banks and mortgage companies, nationwide.
In review of the Arete – Excel Listing of customer database records for the Farmers and Merchants Bank’s Mortgage Division, approximately 5,300 individual customers are potentially at risk of compromise of personal information including Tax ID Numbers (SSN). FocusIT has prepared a letter of notification to each impacted customer and provided to the senior management of Farmers and Merchants Bank for their review and approval, authorized by Farmers and Merchants Bank on September 9, 2022. Each letter of notification outlines the forensics investigation review, description of Equifax Credit Monitoring services extended to the individual at no cost, contact information for reporting consumer Fraud Alerts, and information on security freezes with credit bureaus if desired by the individual.
In reporting this information, Farmers and Merchants Bank regrets the occurrence of the data breach by its third-party vendor, FocusIT, affecting customers of the bank’s Mortgage Division. Farmers and Merchants Bank discontinued third-party services with FocusIT in July 2022 due to termination of hosted services for the Calyx Point software application in a scheduled migration/conversion to the Calyx Path software application. In response to the breach occurrence, FocusIT contracted two (2) additional threat intelligence and security monitoring systems with Sentinel, a leading industry security provider, and contracted additional (IT) Security Risk Assessment Audits with an independent audit firm.
Farmers and Merchants Bank maintains stringent Information Technology (IT) security and compliance practices in protection of all computer network systems and software applications in accordance with the Federal Financial Institutions Examination Council (FFIEC) industry standards. Annually, Farmers and Merchants Bank contracts an independent Information Technology (IT) Security Audit Consultant to perform a comprehensive (IT) Risk Assessment of the bank’s network security infrastructure, systems, and applications in accordance with NIST Cybersecurity Framework guidelines for mitigation of cybersecurity risks. From the implementation date of the bank’s computer network on September 30, 2002, there have been zero (0) occurrences of data breaches to any of Farmers and Merchants Bank’s computer systems, software applications, and stored databases to the current date of September 20, 2022.
Prepared and Submitted by: Christopher T. Oswald, Executive Vice President – Chief Operations Officer (Information Technology (IT) Security / Compliance Officer) September 21, 2022