Memphis, Tennessee-based First Horizon was hit by a data breach in which an unauthorized party obtained login credentials and exploited a vulnerability in third-party security software, the company announced in a filing Wednesday with the Securities and Exchange Commission (SEC). The compromise allowed attackers to access fewer than 200 online accounts, steal personal information from the victims and exfiltrate less than $1 million, according to the filing.
The company discovered the incident in mid-April and has since fixed the software vulnerability, reset passwords and is working with customers affected by the breach to close their accounts and open new ones.
First Horizon has reimbursed the funds and notified law enforcement and other appropriate authorities of the breach, according to the filing. Company officials do not expect the breach will have a materially adverse impact on its financial condition or business operations, they said in the filing.
The attack highlights the potential risk that financial institutions face when trying to protect customer account data and financial assets.
"Attackers are adept at finding the weakest link," Robert Haynes, software composition analyst and open-source evangelist at Checkmarx, said in an email. "This is most frequently a human, and often results in phishing or spear phishing attacks against IT staff, as their credentials are often most useful to an attacker."
The third-party software vulnerabilities could range anywhere from a virtual private network vulnerability to a software library that provides one-time passcodes, Haynes said.
Three-quarters of financial institutions, including banks and insurance companies in the U.K. and U.S., saw a rise in cybercrime in the 12-month period after March 2020, when the U.S. lockdown began, according to a report released Wednesday from BAE Systems Applied Intelligence.
"Attackers are building increasingly advanced capabilities to target core banking systems and becoming more aggressive, harming victims' ability to respond to attacks," said Adrian Nish, head of cyber at BAE Systems Applied Intelligence, as part of the report.
The report shows 56% of U.S. and U.K. banks and insurers had a surge in financial losses related to cyber activity over the past year, averaging about $720,000 per incident.
A separate report from VMware also indicates a surge in cyberattacks against financial institutions, particularly since the COVID-19 pandemic began in early 2020.
The report, based on interviews with 126 chief information security officers from across the globe, shows that 54% of financial institutions experienced destructive attacks against their organization, representing a 118% increase from 2020 figures.
First Horizon National Bank last year merged with Iberiabank, creating a bank with $79 billion in assets and $60 billion in deposits.
Bank officials could not be immediately reached for comment.