BUFFALO, N.Y. — If you are one of the thousands of M&T Bank customers here in Western New York, you may want to look for a letter in the mail with details on a major cybersecurity issue affecting your bank account.
2 On Your Side sought to find out more.
Letters from Buffalo-based M&T Bank were in the mail last week, and they warned about what the corporation calls a cybersecurity incident affecting a computer file transfer tool called MOVEit from a company called Progress Software.
It was actually a worldwide ransomware attack launched by Russian hackers using a virus called CLOP, which struck government agencies, educational facilities, and corporations. It was actually discovered back in May with a formal warning in early June from CISA, the Federal Cybersecurity and Infrastructure Security Agency.
Retired FBI Supervisory Agent and Cybersecurity Expert Holly Hubert (Global Security IQ) told us: “My understanding is it affected tens of millions of individuals.”
M&T managers declined an interview. However, they did state, as they did in the letter, their internal IT systems were not directly affected but third-party service providers were, and that customers’ names, addresses, and M&T bank account numbers were “exposed.”
The banking firm added that fortunately pins and passwords were not open to hackers. Also, no customer social security numbers, birthdates, or debit or credit card numbers were disclosed.
“It is a potential risk, and most organizations do have some third-party applications that help make up their internal computing infrastructure,” Hubert said.
But again, with customer names and bank account numbers out there, should there be big alarm bells for customers?
“We shouldn’t be panicking that our banking data is out there somewhere and somebody is going to drain all our money,” Hubert said. “I don’t think we should panic. And then the opposite side of the coin is I don’t think we should have this desensitized nature that, ‘Oh, everybody has everything so what can I do?’ I think we need to be in the middle and have a reasonable, moderate response and do the things you can, such as have long and strong passwords, change your password every so often.”
Hubert did emphasize that “M&T is offering I think Equifax plus credit monitoring. Definitely take advantage of that.”
Of course, we must point out that Equifax itself was hit by hackers back in 2017 with data from over 147 million individuals exposed.
Hubert also explained that while this cybersecurity event was first spotted in May, and now we have bank notification in late August, it can take a while for a cyber response team to determine the actual total impact with all these connected companies and even government agencies in this case.