Dive Brief:
- U.S. Bank notified some customers on Friday that their personal information was accidentally shared by a third-party vendor, according to letters posted to the California Attorney General's website.
- On Sept. 27, a third-party collections recovery group accidentally shared the names, addresses, Social Security numbers, birthdays, closed account numbers and outstanding balances of about 11,000 customers, a U.S. Bank spokesperson told Banking Dive.
- The bank found the error immediately and all recipients of the file agreed to cooperate with U.S. Bank in securing the information, the bank said.
Dive Insight:
The scope of this breach is small: This incident affects only 11,000 customers of closed credit card accounts, and the data was shared from one of the bank’s third-party vendors to one other collections agency.
An employee noticed the issue immediately, the spokesperson said, and the information was secured and destroyed. The bank has since received a certificate of destruction of information.
U.S. Bank does not believe the incident will cause any further risk to customers’ data, but it’s providing those affected with two years of free credit monitoring. The bank also recommends that customers place fraud alerts on their credit cards and “remain vigilant.”
“Again, given the circumstances, we do not believe there is any risk to these customers; however, we are taking these steps out of an abundance of caution,” the spokesperson said.
U.S. Bank’s breach is dwarfed by 2022’s other cybersecurity woes, including the Flagstar Bank breach that affected 1.5 million customers this summer and wintertime’s Credit Suisse data leak that affected around 18,000 accounts.