SR Bancorp Discloses Vendor Data Breach Affecting Customer Records
SR Bancorp, the parent company of Somerset Regal Bank, reported a data security incident involving unauthorized access to customer information held by its external auditor, Mercadien. The breach, disclosed in an SEC filing on July 10, 2026, occurred when an outside party accessed files on Mercadien’s servers containing sensitive data, including names, Social Security numbers, account numbers, identification documents, and dates of birth.
While the incident exposed certain customer records, SR Bancorp confirmed that its own systems, operations, payment processing, and customer access remained unaffected. The company stated that the breach is not expected to have a material impact on its financial condition or operational results. Affected customers are being notified in accordance with legal requirements.
The breach highlights the risks associated with third-party vendors handling sensitive financial data, underscoring the need for robust security measures across extended service providers.
Mercadien TPRM report: https://www.rankiteo.com/company/the-mercadien-group
"id": "the1783722361",
"linkid": "the-mercadien-group",
"type": "Breach",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Yes',
'industry': 'Banking',
'name': 'SR Bancorp (Somerset Regal Bank)',
'type': 'Financial Institution'},
{'industry': 'Accounting/Auditing',
'name': 'Mercadien',
'type': 'External Auditor'}],
'attack_vector': 'Third-party vendor compromise',
'customer_advisories': 'Affected customers are being notified',
'data_breach': {'personally_identifiable_information': 'Names, Social '
'Security numbers, '
'account numbers, '
'identification '
'documents, dates of '
'birth',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII), Financial '
'Data'},
'date_publicly_disclosed': '2026-07-10',
'description': 'SR Bancorp, the parent company of Somerset Regal Bank, '
'reported a data security incident involving unauthorized '
'access to customer information held by its external auditor, '
'Mercadien. The breach occurred when an outside party accessed '
'files on Mercadien’s servers containing sensitive data, '
'including names, Social Security numbers, account numbers, '
'identification documents, and dates of birth. Affected '
'customers are being notified in accordance with legal '
'requirements.',
'impact': {'data_compromised': 'Names, Social Security numbers, account '
'numbers, identification documents, dates of '
'birth',
'identity_theft_risk': 'High',
'operational_impact': 'No material impact on financial condition '
'or operational results',
'payment_information_risk': 'High',
'systems_affected': 'Mercadien’s servers'},
'lessons_learned': 'Highlights risks associated with third-party vendors '
'handling sensitive financial data',
'post_incident_analysis': {'root_causes': 'Unauthorized access to third-party '
'vendor (Mercadien) servers'},
'recommendations': 'Need for robust security measures across extended service '
'providers',
'references': [{'source': 'SEC filing'}],
'regulatory_compliance': {'regulatory_notifications': 'SEC filing'},
'response': {'communication_strategy': 'Customer notifications in accordance '
'with legal requirements'},
'title': 'SR Bancorp Discloses Vendor Data Breach Affecting Customer Records',
'type': 'Data Breach'}