A bank breaks its silence on its shadow-AI breach
CB Financial Services, the parent company of a Pennsylvania community bank, disclosed a cybersecurity incident where an employee accidentally exposed customer data—including names, Social Security numbers, and birthdates—by feeding it into an unauthorized AI tool. The bank acted quickly to prevent the data from being used to train the AI model and triggered SEC, regulatory, and customer notifications under Gramm-Leach-Bliley Act requirements, marking what may be the first public filing of its kind related to shadow AI risks.
CB Financial Services, the parent company of a Pennsylvania community bank, filed an SEC disclosure on May 11 revealing a cybersecurity incident caused by an employee using unauthorized AI software. The incident involved an employee inputting non-public customer data—including names, Social Security numbers, and dates of birth—into an unapproved AI application while preparing a presentation. The bank confirmed it reached the AI vendor in time to prevent the data from being used for training, but the breach still triggered regulatory and legal obligations, including a 36-hour notice to its prudential regulator and customer notifications under the Gramm-Leach-Bliley Act. The incident was first detected on May 5, with CB Financial determining it was material enough to disclose by May 7. In its SEC Form 8-K filing, signed by President and CEO John H. Montgomery, the bank described the event as involving ‘certain non-public customer information’ exposed through unauthorized AI software. Despite no operational disruptions or financial impact, the bank classified the incident as material due to the sensitive nature and volume of data involved. CB Financial stated it engaged cybersecurity advisors and is coordinating with banking and financial regulators while notifying affected customers as required by law. According to Montgomery and Jennifer George, the bank’s senior executive vice president and chief operating officer, the employee used the unauthorized AI tool while working on a presentation, bypassing the bank’s approved AI platform with restricted accounts. The bank did not disclose the number of affected customers or the exact timing of the data upload, noting its investigation into the scope and cause was still ongoing. Montgomery also confirmed the employee used a personal account to access the unapproved tool, which the bank had not vetted. The filing marks a rare public disclosure of a shadow AI incident in the banking sector, highlighting growing risks as employees increasingly use unauthorized AI tools for efficiency. CB Financial emphasized that no external threat actor was involved, and operations remained unaffected, but the breach underscored the need for stricter oversight of employee AI usage. The bank’s swift response—including vendor intervention and regulatory compliance—serves as a potential template for future disclosures in similar cases.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.