The California Office of the Attorney General disclosed a data breach affecting Simmons Bank on November 15, 2022, stemming from a cybersecurity incident involving one of the bank’s third-party vendors. The breach, which occurred on September 21, 2022, exposed sensitive customer information, including names, addresses, Social Security numbers (SSNs), and driver’s license numbers. While the exact number of affected individuals remains undisclosed, the compromised data poses significant risks, such as identity theft, financial fraud, and unauthorized access to personal accounts. The incident highlights vulnerabilities in the bank’s vendor ecosystem, raising concerns about supply chain security and the protection of customer data. Given the nature of the exposed information particularly SSNs and driver’s license numbers the breach could lead to long-term repercussions for affected customers, including potential credit damage, phishing attacks, or fraudulent activities under their identities. Simmons Bank has not publicly detailed the specific attack vector (e.g., phishing, malware, or system exploitation), but the involvement of a vendor suggests a possible exploitation of weak access controls or unpatched vulnerabilities within the third-party’s infrastructure. Regulatory scrutiny and potential legal consequences may follow, as financial institutions are subject to strict data protection laws (e.g., GLBA, CCPA). Customers are advised to monitor their accounts, enable fraud alerts, and consider credit freezes to mitigate risks. The breach underscores the critical need for robust vendor risk management and proactive cybersecurity measures to prevent similar incidents in the future.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-559207
TPRM report: https://www.rankiteo.com/company/simmonsbank
"id": "sim1009090725",
"linkid": "simmonsbank",
"type": "Breach",
"date": "8/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown',
'industry': 'Financial Services',
'location': 'United States (primarily Arkansas, with '
'operations in California)',
'name': 'Simmons Bank',
'type': 'Bank'},
{'name': 'Unnamed Vendor',
'type': 'Third-Party Service Provider'}],
'data_breach': {'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': ['names',
'addresses',
'Social Security '
'numbers',
'driver’s license '
'numbers'],
'sensitivity_of_data': 'High (includes SSNs and driver’s '
'license numbers)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2022-09-21',
'date_publicly_disclosed': '2022-11-15',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Simmons Bank on November 15, 2022. The '
'breach may have affected customer names, addresses, Social '
'Security numbers, and driver’s license numbers, though the '
'number of individuals impacted is unknown. The breach '
'reportedly occurred on September 21, 2022, due to a '
"cybersecurity incident affecting the bank's vendor.",
'impact': {'data_compromised': ['names',
'addresses',
'Social Security numbers',
'driver’s license numbers'],
'identity_theft_risk': 'Potential (PII exposed)'},
'references': [{'date_accessed': '2022-11-15',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential violation of '
'California Consumer '
'Privacy Act (CCPA) or '
'other state/federal data '
'protection laws'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'Simmons Bank Data Breach via Vendor Incident',
'type': 'Data Breach'}