M&T Bank Data Breach Exposes Sensitive Customer Information via Third-Party Provider
In August 2025, M&T Bank a major financial institution headquartered in Buffalo, New York, with over 960 branches across 12 states discovered a data breach stemming from a security incident at one of its third-party service providers. While the bank’s own systems remained unaffected, unauthorized access to files containing customer data occurred within the vendor’s environment.
The breach, disclosed to the Massachusetts Attorney General on April 17, 2026, exposed sensitive personally identifiable information (PII) of M&T Bank customers, including names, Social Security numbers, driver’s licenses, credit/debit card numbers, and financial account details. In Massachusetts alone, 462 individuals were confirmed as impacted.
Class action law firm Shamis & Gentile P.A. is currently investigating the incident, assessing potential claims for affected customers who may be eligible for compensation. The breach highlights ongoing risks associated with third-party vendor security in the financial sector.
Source: https://www.claimdepot.com/investigations/mt-bank-data-breach-2026
M&T Bank TPRM report: https://www.rankiteo.com/company/m&t-bank
Third-party service provider TPRM report: https://www.rankiteo.com/company/third-party-resources-inc-3pr-inc
"id": "m&tthi1776869694",
"linkid": "m&t-bank, third-party-resources-inc-3pr-inc",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'At least 462 individuals in '
'Massachusetts',
'industry': 'Banking',
'location': 'Buffalo, New York, USA',
'name': 'M&T Bank',
'size': 'Over 960 branches across 12 states',
'type': 'Financial Institution'}],
'attack_vector': 'Third-Party Vendor Compromise',
'data_breach': {'number_of_records_exposed': 'At least 462 (Massachusetts '
'only)',
'personally_identifiable_information': 'Names, Social '
'Security numbers, '
'driver’s licenses, '
'credit/debit card '
'numbers, financial '
'account details',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII), Social '
'Security numbers, driver’s '
'licenses, credit/debit card '
'numbers, financial account '
'details'},
'date_detected': '2025-08',
'date_publicly_disclosed': '2026-04-17',
'description': 'In August 2025, M&T Bank discovered a data breach stemming '
'from a security incident at one of its third-party service '
'providers. Unauthorized access to files containing customer '
'data occurred within the vendor’s environment, exposing '
'sensitive personally identifiable information (PII) of M&T '
'Bank customers, including names, Social Security numbers, '
'driver’s licenses, credit/debit card numbers, and financial '
'account details.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'third-party breach',
'data_compromised': 'Personally Identifiable Information (PII), '
'Social Security numbers, driver’s licenses, '
'credit/debit card numbers, financial account '
'details',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential class action investigation',
'payment_information_risk': 'High',
'systems_affected': 'Third-party service provider’s environment'},
'investigation_status': 'Ongoing (Class action investigation by Shamis & '
'Gentile P.A.)',
'lessons_learned': 'Highlights ongoing risks associated with third-party '
'vendor security in the financial sector',
'post_incident_analysis': {'root_causes': 'Third-party service provider '
'security incident'},
'references': [{'source': 'Massachusetts Attorney General'}],
'regulatory_compliance': {'legal_actions': 'Class action investigation by '
'Shamis & Gentile P.A.',
'regulatory_notifications': 'Disclosed to '
'Massachusetts Attorney '
'General'},
'response': {'communication_strategy': 'Disclosure to Massachusetts Attorney '
'General'},
'title': 'M&T Bank Data Breach Exposes Sensitive Customer Information via '
'Third-Party Provider',
'type': 'Data Breach'}