A New York-based bank says a global cybersecurity incident has exposed sensitive customer data.
In a letter to customers, M&T Bank says the exploit involves the file transfer tool MOVEit, which is used to securely send and receive confidential information.
According to the bank, the attacker was able to access customer data by targeting one of the lender’s third-party vendors.
“Our investigation did, however, determine that certain information at our external service providers was compromised, including some of your information.
That information included your name, address and M&T checking, savings and/or money market account number(s).
While this data was exposed, rest assured no PINs, passwords, or other sensitive data, such as social security numbers, date of birth, or debit/credit card numbers, was accessed.”
M&T Bank says its own internal systems were not compromised and not at risk from the data breach.
A customer affected by the data breach has a class action lawsuit against M&T Bank for “failing to properly secure and safeguard” data stored within the lender’s network.
According to the lawsuit, the security incident exposed the data of at least 95,000 customers with hundreds of thousands more likely to be impacted based on M&T Bank’s clientele.
M&T Bank has over $207 billion in assets and operates in 12 states across the Eastern United States.
