MainStreet Bank reports vendor cyber incident that leaked customer info

MainStreet Bank said a cyberattack affecting one of its vendors exposed the sensitive information of about 5% of its customers. 

In regulatory filings with the Securities and Exchange Commission (SEC) on Friday afternoon, MainStreet Bancshares said it was informed in March that the vendor was compromised. 

“Although each vendor undergoes a thorough security vetting process, we swiftly ceased all activity with this provider,”  the company said, adding that they concluded a review of the scope of the incident in late April. 

The company did not respond to a request for comment about how many customers were affected and what information was stolen. The Fairfax, Virginia-based bank has six full-service branches in Virginia and Washington, D.C.

An investigation determined that MainStreet Bank’s systems had not been compromised and no unauthorized transactions were conducted. They found no evidence that money was stolen from any accounts, and customers have continued to be able to conduct transactions. 

MainStreet Bank said it notified regulators of the incident and informed customers on May 26. The company created monitoring systems and provided victims with “tools to monitor any suspicious activity.”

According to the filing, the incident has not had a “material impact” on the company’s operations. 

MainStreet Bank reported deposits of about $1.9 billion in the last quarter and a net income of $2.5 million. In 2024, the company reported a loss of $9.98 million. 

The filing comes days after five major banking associations sent a letter to the SEC demanding it rescind the cyber incident disclosure rule that forces banks to report cyberattacks.

The rule, which went into effect last year, has been attacked repeatedly by members of Congress and banks, many of which argue that the requirements “impose additional risks, cost, and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation, while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors.”

The associations said in the letter that the initial fears expressed by industry “have manifested.”

“Registrants have been forced to publicly disclose an incident even if it is ongoing, the company’s investigation is not complete, and the incident has not been fully remediated,” they said. 

“The premature disclosure has harmed registrants and at the same time failed to provide the market with meaningful or actionable information upon which to make investment decisions.”

The letter notes that despite repeated efforts by the FBI, Justice Department and SEC to clarify the rule, banking institutions and SEC-regulated companies are still confused about when to file incidents.  

The banks claimed that hackers have started to leverage the reporting requirement against them, using it “as additional extortion leverage,” — referencing a 2023 incident where the AlphV ransomware gang extorted financial software company MeridianLink. They said there have been other instances “where threat actors have deployed similar pressure on victims and referenced the incident disclosure requirement in connection with threats and demands.”

“The incident disclosure requirement has been weaponized as an extortion method by ransomware criminals to further malicious objectives, and may subject disclosing companies to additional cybersecurity threats,” they said, adding that the financial sector already has to comply with at least 10 confidential incident reporting requirements.

One of the biggest issues — whether an incident is “material” to a company’s financial standing — has continued to cause confusion, the banking associations said. Of the 32 filings so far, only nine identified a material impact in their initial disclosures, and just two more did so in amended filings.

“Rather than providing clarity, the inconsistent use of [the rules]... injects uncertainty into the market and undermines the objective of standardized, decision-useful disclosure,” they said.