1st Source says unauthorized third-party gained access to sensitive client data

In a regulatory filing, 1st Source Corporation disclosed that on May 31, a vendor to 1st Source Bank, a wholly owned subsidiary of the company, Progress Software Corporation, disclosed a previously unknown vulnerability in its MOVEit file transfer software that could enable malicious actors to gain unauthorized access to sensitive files and information. “MOVEit is used by thousands of organizations for secure data file transfers and is now the subject of a widely reported cybersecurity event impacting numerous organizations and governmental agencies around the world. The company uses MOVEit for secure file transfers supporting internal operations and client services. Upon learning of the vulnerability, the company promptly deployed cybersecurity defenses. This included patching the software according to the vendor’s published protocols, hardening of the host server containing the MOVEit software, and launching an internal investigation in partnership with outside independent cybersecurity forensic experts. The company’s investigation is ongoing, and it is also in contact with law enforcement and regulatory authorities. As part of its continuing investigation, the company discovered that an unauthorized third-party gained access to sensitive client data of commercial and individual clients, including personally identifiable information. The company has notified and is working with its commercial clients so impacted and is in the process now of identifying and directly notifying individual clients who have been impacted. The company will ensure that appropriate notifications are provided to impacted individuals who will be offered complimentary credit monitoring and identity restoration services. These will be described in the notifications. While the investigation is still ongoing, the vulnerability has been contained and there is no indication that there has been any impact on any of the company’s information systems other than the MOVEit application. There has been no interruption to the company’s systems, services, or business operations. The company is aware that certain of its critical vendors may also have been impacted by the same vulnerability, as it believes every user of this version of MOVEit software was, and that the company’s data processed and/or stored by such vendors may have been impacted. While the company has not received any notification that this happened, it will assess and respond to any impacts as part of its ongoing investigation or if so notified. The company is continuing to evaluate the impact of the vulnerability, including certain remediation expenses and other potential liabilities. The company does not currently believe the incident will have a material adverse effect on its business, operations, or financial results,” the company stated.