Bank holding company First Horizon Corporation disclosed the some of its customers had their online banking accounts breached by unknown attackers earlier this month.
First Horizon is a regional financial services company with $84 billion in assets that offers banking, capital market, and wealth management services.
First Horizon Bank, the company’s banking subsidiary, operates a network of hundreds of bank locations in 12 states across the Southeast.
Attackers accessed personal info, stole funds
First Horizon discovered the attack in mid-April 2021 and said that it only impacted a limited number of customers.
As discovered during the investigation, the unknown threat actors could breach the customers’ online bank accounts using previously stolen credentials and by exploiting a vulnerability in third-party software.
“Using the credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 on-line customer bank accounts,” First Horizon added in an 8-K form filed with the U.S. Securities and Exchange Commission (SEC) on Wednesday.
The attackers were also able to gain access to customer information stored in the breached accounts and drain funds from some of them before their intrusion was discovered.
The financial services firm revealed that they “fraudulently obtained an aggregate of less than $1 million from some of those accounts.”
Customers reimbursed after breach
The bank holding firm reimbursed all the impacted customers for their stolen funds after discovering the data breach.
First Horizon also notified relevant data regulators and law enforcement agencies and opened new banking accounts for affected customers.
The company also remediated the software vulnerability exploited by the attackers during the incident and reset the passwords for impacted accounts.
“Based on its ongoing assessment of the incident to date, the Company does not believe that this event will have a material adverse effect on its business, results of operations or financial condition,” First Horizon concluded.
While First Horizon did not provide any info on the exploited third-party software, massive collections of stolen user credentials potentially reused on multiple sites have been sold or leaked for free by various threat actors for years.
The most recent examples are tens of millions of user records containing personal data and credentials belonging to ParkMobile, BigBasket, and Nitro PDF customers shared for free on hacking forums.
First Horizon Bank division IBERIABANK Mortgage disclosed another data breach spanning almost two years and exposing customers’ personal info a day after its parent company merged with First Horizon Bank on July 3rd, 2020.
A First Horizon spokesperson was not available for comment when contacted by BleepingComputer earlier today for more details regarding the breach disclosed earlier this week.