TAMPA, Fla.–A bank that helps more than 750 smaller financial institutions, including some credit unions, has announced its security was breached for approximately 16 months.
TCM Bank said a website misconfiguration exposed the names, addresses, dates of birth and Social Security numbers of thousands of people who applied for cards between early March 2017 and mid-July 2018, according to KrebsOnSecurity.com.
TCM is a subsidiary of Washington, D.C.-based ICBA Bancard Inc., which helps community banks provide a credit card option to their customers using bank-branded cards.
In a letter being mailed to affected customers, KrebsOnSecurity.com reported TCM said the information exposed was data that card applicants uploaded to a website managed by a third party vendor. TCM said it learned of the issue on July 16, 2018, and had the problem fixed by the following day.
According to KrebsOnSecurity.com, Bruce Radke, an attorney working with TCM on its breach outreach efforts to customers, provided a statement saying fewer than 10,000 consumers who applied for cards were affected. Radke declined to name the third-party vendor, saying TCM was contractually prohibited from doing so, KrebsOnSecurity.com reported.
“It was less than 25% of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke was quoted by KrebsOnSecurity as saying. “We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”