The Vermont Office of the Attorney General disclosed a data breach affecting TD Bank on July 10, 2024, stemming from an inadvertent email misdelivery on July 1, 2024. The incident exposed personal information of two individuals, including names, loan numbers, dates of birth, and contact details. The breach occurred due to human error, where an employee accidentally sent an email containing sensitive customer data to an unauthorized recipient. While the exposed data did not include highly critical financial records (e.g., Social Security numbers, bank account details, or passwords), the leak still posed risks such as identity theft, phishing attempts, or targeted scams leveraging the compromised personal details. TD Bank has not reported evidence of malicious exploitation of the exposed data, and the scope remains limited to the two affected individuals. However, the incident underscores vulnerabilities in internal communication protocols and the need for stricter data handling safeguards to prevent similar occurrences. Regulatory notifications were issued as part of compliance obligations, but no ransomware, systemic attack, or large-scale data exfiltration was involved.
Source: https://ago.vermont.gov/document/2024-07-10-td-bank-data-breach-notice-consumers
TPRM report: https://www.rankiteo.com/company/td-bank-canada-trust-usa
"id": "td-019091825",
"linkid": "td-bank-canada-trust-usa",
"type": "Breach",
"date": "7/2024",
"severity": "60",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '2',
'industry': 'Banking',
'location': 'United States (Vermont exposure reported)',
'name': 'TD Bank',
'type': 'Financial Institution'}],
'attack_vector': 'Human Error (Inadvertent Email)',
'data_breach': {'data_exfiltration': 'No (accidental exposure via email)',
'number_of_records_exposed': '2',
'personally_identifiable_information': ['names',
'dates of birth',
'contact information',
'loan numbers'],
'sensitivity_of_data': 'Moderate (PII but no '
'financial/payment data)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)']},
'date_detected': '2024-07-01',
'date_publicly_disclosed': '2024-07-10',
'description': 'The Vermont Office of the Attorney General reported a data '
'breach involving TD Bank on July 10, 2024. The breach '
'occurred on July 1, 2024, due to an inadvertent email that '
'exposed personal information, including names, loan numbers, '
'dates of birth, and contact information of two affected '
'individuals.',
'impact': {'brand_reputation_impact': 'Potential (limited to two individuals)',
'data_compromised': ['names',
'loan numbers',
'dates of birth',
'contact information'],
'identity_theft_risk': 'Low (limited exposure)'},
'investigation_status': 'Disclosed (no further details provided)',
'post_incident_analysis': {'root_causes': 'Human error (inadvertent email '
'sending)'},
'references': [{'date_accessed': '2024-07-10',
'source': 'Vermont Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'Vermont Attorney '
'General (mandatory '
'breach notification)'},
'response': {'communication_strategy': 'Public disclosure via Vermont '
'Attorney General'},
'title': 'TD Bank Data Breach via Inadvertent Email Exposure',
'type': 'Data Breach'}