2023-07-03 Hilltop Holdings Inc. Cybersecurity Incident

Page last updated on April 11, 2024

Hilltop Holdings Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-07-03 07:00:17 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-06-27
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-07-03

Hilltop Holdings Inc. filed an 8-K at 2023-07-03 07:00:17 EDT
Accession Number: 0001104659-23-077393

Item 8.01 Other Events.

On June 27, 2023, a third-party vendor (“Vendor”) of PlainsCapital Bank (the “Bank”), a wholly owned subsidiary of Hilltop Holdings Inc. (the “Company”), confirmed to the Bank that data specific to the Bank’s customers was likely obtained in a security incident that the Vendor experienced targeting a zero-day vulnerability (the “Vendor Incident”) in the Vendor’s instance of the MOVEit Transfer Application (“MOVEit”). MOVEit is a managed file transfer software used by thousands of organizations. The Bank uses Vendor’s systems as the Bank’s core operating system. Vendor has advised the Bank that the vulnerability causing the Vendor Incident has been patched.

As a result of this Vendor Incident, an unauthorized party likely obtained information in the Vendor’s possession about substantially all of the Bank’s customers, including social security numbers and account numbers. The Bank is committed to ensuring that appropriate notifications are provided to impacted customers and to regulatory agencies as required by federal and state law. The Bank plans to offer impacted customers, at their election, complimentary credit monitoring and identity restoration services, which will be described in the notifications.

Upon receiving notification of the Vendor Incident, the Company and the Bank, together with the Vendor, promptly launched an investigation to determine the scope and nature of any Bank customer data that may have been impacted. At this time, there is no indication that the Vendor Incident has had any impact on any of the Company’s or the Bank’s information systems or customer access credentials, and there has been no material interruption to the Bank’s business operations. The Company has incurred, and may continue to incur, certain expenses related to this Vendor Incident, including expenses to respond to, remediate and investigate this matter. Further, the Company remains subject to risks and uncertainties as a result of the Vendor Incident, including as a result of the data that was accessed. Additionally, security and privacy incidents have led to, and may continue to lead to, litigation and additional regulatory scrutiny. The Company is in the process of evaluating the full scope of the costs and impact of the Vendor Incident. The Company also is working with other vendors for the Bank and the Company’s broker-dealer and mortgage origination segments to determine whether they were similarly impacted by the MOVEit vulnerability.

Company Information