Happy State Bank Logo Channel 10
(image source: Channel 10, 2021)
One-sentence summary:
A Happy State Bank employee’s email was compromised via phishing, potentially breaching the sensitive data of over 10,000+ customers.
Who was involved?
Texas-based Happy State Bank, a division of Centennial Bank, a threat actor, and 10,069 customers (Williamson, 2023).
What was the timeline?
July 28, 2022: Happy State Bank’s employee is phished via email, breaching their account
July 29, 2022: Happy State Bank becomes aware of their breach and ends it
February 7, 2023: HSB finalizes its post-breach investigation.
March 16, 2023: Happy State Bank notifies Maine/Maine resident
March 17, 2023: HSB breach notice is published on the Texas OAG’s breach portal
What occurred?
A Happy State Bank employee’s email was breached via successful phishing, potentially exposing the following sensitive data of over 10,069 customers: “name, Social Security number, date of birth, and
financial account number (not including security code, access code, passwords or PIN for the
account)” (Happy State Bank, 2023, p. 2).
Estimated costs:
Associated incident response costs, data breach notification costs, M-F call center
Involved laws:
State laws: Maine: 10 M.R.S.A. § 1346
Texas: Tex. Bus. & Com. Code §§ 521.002, 521.053
Root cause:
Email phishing
Lessons learned:
HSB has strengthened its email security following the incident (Happy State Bank, 2023, p. 5). They are also providing additional training to their employees (Happy State Bank, 2023, p. 2). User awareness training is critical for any user with any public-facing access (e.g., email, phone, etc.). Mail gateways must also be employed and synchronized with threat intelligence sources to quickly detect and quarantine malicious links/files and flag/remove suspected phishing emails. Having a 24/7 SOC to monitor inbound email traffic and potentially flag suspicious activity through the entire kill chain/MITRE framework can also help quickly stop or contain incidents.
Example solutions:
User Awareness:
Knowbe4 https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Proofpoint https://www.proofpoint.com/us/products/security-awareness-training
Email Gateway:
Barracuda https://www.barracuda.com/products/email-protection/email-security-gateway
Proofpoint https://www.proofpoint.com/us/threat-reference/email-gateway
Sources:
Channel 10. (2021, September 16). t_f85052fb36584fc59371cc1effccdd3a_name_file_1280x720_2000_v3_1_.jpg. Cloudfront. https://do0bihdskp9dy.cloudfront.net/09-16-2021/t_f85052fb36584fc59371cc1effccdd3a_name_file_1280x720_2000_v3_1_.jpg
Happy State Bank. (2023). Happy State Bank – Notice of Data Event – ME.pdf. In Data Breach Notifications (AI3691 v.02). Office of the Maine Attorney General. Retrieved March 21, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/fe93a1a4-6d7c-4833-b110-bc795599b539/de6ebbba-bcd7-4f17-b764-7a7ce02ab3de/document.html
Williamson, M. (2023, March 16). Data Breach Notifications. Office of the Maine AG: Consumer Protection: Privacy, Identity Theft and Data Security Breaches. Retrieved March 21, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/fe93a1a4-6d7c-4833-b110-bc795599b539.shtml
Commentary:
Only one Maine resident was affected by the Texas-based bank but still subjects the entire bank to detailed reporting requirements within Maine’s breach portal per Maine state law. This shows the power of state laws in providing transparency. Texas should follow suit as its breach portal is not very detailed in comparison (doesn’t show sample breach letters, detailed descriptions, etc.). I am also happy (no pun intended) to see Happy State Bank was also transparent in providing the root cause details of their breach.
