2023-07-25 PACIFIC PREMIER BANCORP INC Cybersecurity Incident

Page last updated on April 11, 2024

PACIFIC PREMIER BANCORP INC initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-07-25 06:01:28 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-07-20
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-07-25

PACIFIC PREMIER BANCORP INC filed an 8-K at 2023-07-25 06:01:28 EDT
Accession Number: 0001028918-23-000106

Item 8.01 Other Events.

On July 20, 2023, a third-party vendor (“Vendor”) to Pacific Premier Bank (the “Bank”), the wholly-owned bank subsidiary of Pacific Premier Bancorp, Inc. (together with Bank, the “Company”), confirmed to the Bank that personally identifiable information associated with Bank clients had been compromised in a security incident Vendor experienced (“Vendor Incident”). The Vendor Incident resulted from a zero-day vulnerability in a popular file sharing software Vendor used called MOVEit Transfer (“MOVEit”). Progress Software Corporation developed and maintains MOVEit, which is used by thousands of organizations around the world. According to recent national media reports, the MOVEit zero-day vulnerability was exploited in a large-scale, cyber campaign that is impacting government agencies, universities, and corporations around the world. The Bank uses Vendor for certain tax and compliance operational support services.

As a result of the Vendor Incident, an unauthorized party was able to obtain access to certain Bank client data files in Vendor’s possession that contained social security numbers, account numbers, and other personally identifiable information. The Bank is working with Vendor to provide appropriate notifications to potentially affected parties and to regulatory agencies as required by federal and state law.

The Vendor confirmed that it has implemented the recommended patches released by Progress Software for the MOVEit platform to date and has taken other security measures with respect to file transfers. Upon learning of the Vendor Incident, the Company promptly investigated the matter to determine the scope and nature of any Bank client data that may have been affected. There is no indication the Vendor Incident involved the Company’s internal network or IT systems, and there has been no material interruption to the Company’s business operations.

Due to the apparent widespread scope of the MOVEit vulnerability, the Bank proactively engaged with other third-party vendors to determine any impact on them. With the exception of one third-party vendor who reported that bill payment data in its possession specific to a single client of the Bank had been compromised, each vendor indicated that it was not affected by the MOVEit vulnerability. As of the date of this report, the Bank is not aware of any other third-party incidents related to the MOVEit vulnerability that has affected personally identifiable information associated with Bank clients.

The Company has incurred, and may continue to incur, certain expenses related to the Vendor Incident. Further, the Company remains subject to risks and uncertainties as a result of the Vendor Incident, including litigation risk and additional regulatory scrutiny. While the Company is continuing to evaluate the full scope and impact of the Vendor Incident, the Company currently believes this incident will not have a material adverse effect on its or the Bank’s business, operations, or financial results.

Company Information