On September 20, this site noted a breach impacting some residents of Pell City, Alabama. At that time, there were many unanswered questions based on the little the city had disclosed.
Now they have published a press release that reveals that the breach involved their vendor, Technology Management Resources (TMR). The TMR breach had been described by Arkansas Methodist Medical Center in its own breach disclosure last month. In that disclosure, they had written:
On July 3, 2020, TMR discovered that a TMR employee’s user account had been compromised. AMMC was notified of this incident on August 24, 2020 and has been actively seeking information regarding the incident to be able to provide this notice.
Upon discovery of the incident, TMR reported that they secured the account and began an investigation in consultation with external cybersecurity professionals. TMR has stated that their investigation determined that the threat actor may have viewed images of checks and related images containing potential Protected Health Information (PHI) related to customers of Arkansas Methodist Medical Center. According to TMR, the threat actor activity occurred between August 5, 2018 and May 31, 2020, with the bulk of the activity occurring between February and May 2020. TMR notified the FBI of this incident.
Pell City, Alabama notes that 1,050 of their residents were impacted, but their notification gives a different date range that TMR gave them:
The City of Pell City has been informed of a potential security breach at Technology Management Resources, Inc. (TMR), which aids Valley Bank in processing check payments for utility customers. TMR has disclosed that an unknown third-party had access to the processing files, which contained scanned check images, from May 1 to May 3, 2020 and from June 1 to July 1, 2020.
This matter has been reported to the FBI for criminal investigation and TMR has engaged independent cybersecurity and forensics professionals to assess the situation. As of this date, there is no indication that the exposed information has been misused, disseminated, or made publically available.
In Pell City’s case, the exposed information includes the “name, address, checking account number, ABA routing number, and any other information appearing on the front of the check.”
DataBreaches.net sent an email inquiry earlier this morning to TMR seeking clarification as to the timeframe of the breach and to ask how many people, total, were being notified nationwide, but received no immediate reply. This post will be updated when a response is received.