Posted On November 15, 2022 Consumer Privacy & Data Breaches
On November 9, 2022, Old Point National Bank (“Old Point”) filed notice of a data breach with the Attorney General of Montana after an unauthorized party gained access to a bank employee’s email account containing sensitive information related to certain customers. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, driver’s license numbers and photos, Social Security numbers, and bank account numbers and balances. After confirming that consumer data was leaked, Old Point began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Old Point data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Old Point National Bank.
The available information regarding the Old Point Bank breach comes from the company’s filing with the Attorney General of Montana’s “Reported Data Breach Incidents” page. According to this source, on around September 2, 2022, Old Point was the victim of a cyberattack involving a hacker obtaining remote access to a bank employee’s email credentials. As soon as the company learned of the unauthorized access, it shut down the affected email account, reported the incident to law enforcement, and then began working with cybersecurity experts to investigate the incident.
Old Point Bank’s investigation confirmed that the unauthorized party had gained access to the employee email account and that information belonging to certain bank clients was accessible through the account.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Old Point Bank began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, driver’s license number and photos, Social Security number, and bank account numbers and balances.
On November 9, 2022, Old Point Bank sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1922, Old Point National Bank is a regional bank based out of Hampton, Virginia. Old Point operates 19 branches throughout Hampton Roads and is part of the Allpoint ATM Network, giving customers free access to over 55,000 ATMs worldwide. Old Point National Bank is a wholly-owned subsidiary of Old Point Financial Corporation, a larger company that also owns Old Point Wealth Management, Old Point Mortgage, and Old Point Insurance. Old Point Bank employs more than 273 people and generates approximately $51 million in annual revenue.
Old Point National Bank stated that the recently announced breach was the result of an unauthorized party gaining access to an employee’s email account. While the company provided some details about what led to the incident, one fact the company did not discuss is how the unauthorized party was able to obtain access to the affected email account.
There are a few ways that hackers can access employee email accounts. However, most email-based cyber attacks involve an email phishing attack.
Phishing is a type of cyberattack in which a hacker sends an email from a seemingly legitimate source in hopes of obtaining the information they need to get into an employee’s email account. Usually, hackers will try to obtain an employee’s login credentials or convince them to click on a malicious link. Once an employee clicks on a malicious link or downloads a malicious file, it gives the hacker access to their device, including their email account.
While it may seem like it would be easy to tell a real email from a fake, phishing emails are designed to look official. And hackers are very good at this; for example, these emails may contain the company’s actual logo and are usually sent from an almost identical domain name. In the email, the hacker uses principles of social engineering principles to “trick” the employee into giving them the information they need to access the employee’s email account. For example, a hacker may create an email informing an employee that their email account is over the storage limit, requesting they input their login credentials to obtain additional storage.
Phishing emails are incredibly common. In fact, according to the Identity Theft Resource Center, in 2021, a third of all cyberattacks involved phishing. They are also incredibly effective, with 86% of companies reporting at least one employee clicking a phishing link in 2021. Of course, companies can prevent phishing attacks by training employees to be on the lookout for these fraudulent emails and implementing robust data security systems designed to detect unauthorized activity.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Old Point data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Old Point National Bank (the actual notice sent to consumers can be found here):
Dear [Redacted],
Old Point National Bank (“Old Point”), like many organizations across the country, has unfortunately been the victim of a cybersecurity incident involving a business email account at the Bank. We are writing to you to share with you how this may have affected your personal information and, as a precaution, to provide steps you can take to help protect your information. Old Point takes the privacy and security of your personal information very seriously, and we sincerely regret any concern this incident may cause you.
What Happened
We were the victim of a cybersecurity incident involving an Old Point business email account being accessed by an unauthorized user. The incident occurred on or about September 2, 2022, when an unauthorized user gained access to the Old Point business email account remotely. We engaged leading outside cybersecurity experts who confirmed that the unauthorized user’s access was limited only to the web-based email platform and that no other systems at the Bank were impacted. While the unauthorized user was only able to gain access to this one email account for a brief period of time, the email account contained certain personal information of Old Point customers who were transacting business with the Bank. It is unknown whether the unauthorized user was able to discover or access this customer’s personal information. We have no evidence that the unauthorized user was able to use any of the personal information the email account contained to cause any harm to customers of Old Point or that your information was used for any malicious purpose. However, out of an abundance of caution, we are notifying you of this event and are asking you to stay vigilant regarding your personal information.
What Information Was Involved
The personal information involved was related to a loan or similar transaction, which may have included your name, a copy of your driver’s license, Social Security number, and Old Point account numbers and loan balances. Old Point has retained industry-leading outside security experts to conduct a thorough internal investigation into this incident and believes that your account or information at Old Point has not been fraudulently accessed. However, we want to alert you to this issue so that you can remain alert to any potential issues in the future.
What We Are Doing
Old Point immediately reported the incident to the appropriate law enforcement authorities including the Virginia State Police High Tech Crimes Unit, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and the FBI Cyber Crimes Division. Old Point is cooperating in the investigation of these incidents by law enforcement to help bring the attackers to justice. Old Point also took immediate steps to make sure that this information could not be utilized to cause damage to your account at Old Point by putting in place extra procedures and protocols to help protect your information. We also engaged leading cybersecurity experts to assist us in our investigation and the hardening of our environment. We are working to remain vigilant to the ever-changing cyberthreat landscape and encourage you to do the same. Additionally, to help prevent similar types of incidents from occurring in the future, we have implemented further security protocols designed to further protect our network, email environment, systems, and customer personal information.
What You Can Do
Please review the enclosed “Information About Identity Theft Protection” reference guide, which describes additional steps you may take to help protect your information. We recommend that you change your passwords for all your financial accounts and stay vigilant regarding issues around identity fraud for the next twelve to twenty-four months. Carefully review your monthly checking, savings and investment statements and use the provided identity monitoring service to ensure that no new cards, loans or mortgages have been taken out in your name.
To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll to provide identity monitoring at no cost to you for one year. Kroll is a global leader in risk mitigation and response, and their team has extensive experience helping people who have sustained an unintentional exposure of confidential data. Your identity monitoring services include Credit Monitoring, Fraud Consultation, and Identity Theft Restoration.
Visit [Redacted] to activate and take advantage of your identity monitoring services.
You have until [Redacted] to activate your identity monitoring services.
Membership Number: [Redacted]
For more information about Kroll and your Identity Monitoring services, you can visit [Redacted]. Additional information describing your services is included with this letter. Please review the enclosed “Additional Resources” section included with this letter. This section describes additional steps you can take to help protect your information, including recommendations by the Federal Trade Commission regarding identity theft protection and details on how to place a fraud alert or a security freeze on your credit file.
For More Information
The security of your personal information is extremely important to us and we sincerely regret that this incident occurred. If you have questions, please call (855) 504-2882, Monday through Friday from 9:00 a.m. to 6:30 p.m. Eastern Time, excluding major U.S. holidays.
