2023-07-14 Sound Financial Bancorp, Inc. Cybersecurity Incident

Page last updated on April 11, 2024

Sound Financial Bancorp, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-07-14 12:20:25 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-07-14
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-07-14

Sound Financial Bancorp, Inc. filed an 8-K at 2023-07-14 12:20:25 EDT
Accession Number: 0000927089-23-000102

Item 8.01 Other Events.

Progress Software Corporation (“PSC”) recently disclosed a zero-day vulnerability, which is a previously unknown flaw, in its MOVEit Transfer software (“MOVEit”) that could enable malicious actors to gain unauthorized access to sensitive files and information. MOVEit is a managed file transfer software developed and maintained by PSC and used by thousands of organizations. MOVEit is now the subject of a widely reported cybersecurity event impacting numerous organizations and governmental agencies.

Sound Community Bank (the “Bank”), a wholly owned subsidiary of Sound Financial Bancorp, Inc. (the “Company”), was notified by one of its third-party vendors (the “Vendor”) that the Vendor used MOVEit to transfer information related to the Bank’s approximately 16,000 mobile and online banking customers. The Bank, as well as many other financial institutions, uses the Vendor for certain regulatory compliance and operational support services, including account hosting and transaction processing.

Although the investigation regarding the potential breach of the Bank’s customer data is still ongoing, the Bank has been informed by the Vendor that the Vendor’s forensic investigation indicates that the Bank’s customer data was downloaded only one time in connection with a valid file transfer request by the Bank and, to date, there has been no indication that any personal data of the Bank’s customers has been compromised.

The Bank has notified law enforcement, as well as its primary banking regulators, and will continue to keep them informed. Further, the Bank is working diligently to notify all potentially affected customers as soon as reasonably possible. In the interim, the Bank’s customers who have questions are encouraged to contact the Bank’s Client Service Center at 1-800-458-5585 or their personal banker.

The Bank does not itself use the MOVEit file transfer system, and the Vendor has informed the Bank that the Vendor has rectified the vulnerability that allowed the incident to occur. The Company does not currently believe the Vendor incident will have a material adverse effect on its business, operations, or financial results.

Company Information