← Back to incidents

Incident · Unknown

BayFirst Financial Corp. · BAFN

FinancialsUSAIncident August 14, 2025Filed October 28, 2025
Impact score
Business continuity
Insurance involved
Not disclosed
Filing
8-K · 1.05

Breach taxonomy

UnknownData ExfilSupply ChainPersonal DataInfo Privacy Loss

Summary

On August 14, 2025, BayFirst National Bank was notified of a cybersecurity incident at a third-party marketing services provider. On October 28, 2025, the provider confirmed that personal information of some BayFirst customers — including names, dates of birth, and Social Security/tax identification numbers — was accessed without authorization. The incident was contained to the third-party provider's environment, and no customer accounts at BayFirst were directly breached. Impacted customers will be notified directly.

Tagging rationale

ThreatUnknown

Filing does not attribute the incident at the third-party marketing provider to any specific actor category -> UNKNOWN.

MethodsData ExfilSupply Chain

Unauthorized access to customer PII occurred at a third-party marketing services provider (SUPPLY-CHAIN) resulting in data exfiltration (DATA-EXFIL) of customer records.

AssetsPersonal Data

Filing confirms that names, dates of birth, and Social Security/tax identification numbers of some BayFirst customers were accessed without authorization -> PERSONAL-DATA.

EffectsInfo Privacy Loss

Personal information including SSNs/tax IDs of BayFirst customers was accessed without authorization at the third-party provider -> INFO-PRIVACY-LOSS.

Impact

Small community bank with customer PII (including SSNs) exposed via a third-party marketing provider breach; incident contained to third-party environment; no customer accounts directly breached -> score 2.

InsuranceNot disclosed

Filing makes no mention of insurance -> null.

Read the original SEC filing excerpt
Item 1.05. Cybersecurity Incidents On August 14, 2025, BayFirst National Bank ("BayFirst") was notified of a cybersecurity incident experienced by a third-party provider of marketing services. On October 28, 2025, the third-party provider confirmed that some customer information was exposed by this incident. Upon learning of the incident, the third-party provider immediately launched an investigation, worked with BayFirst to understand the scope of the issue, and engaged the appropriate cybersecurity experts to assist. The third-party provider also promptly notified law enforcement. The incident was limited to the third-party provider's environment. Based on the information available to date, personal information, including name, date of birth, and social security/tax identification numbers of some BayFirst customers were accessed without authorization. To date, there is no evidence of the misuse, or attempted misuse, of personal information as a result of this incident. Impacted customers will be notified directly of this incident. BayFirst cannot quantify any material impact to its financial condition or operations, at this time.
View SEC filingBack to database

More in Financials

Unknown · March 23, 2026

Bitcoin Depot Inc.

On March 23, 2026, Bitcoin Depot discovered that an unauthorized party gained access to its IT systems and obtained control of credentials a

Unknown · March 2, 2026

Heritage Financial Corporation

On or about March 2, 2026, Heritage Financial Corporation detected unauthorized access to an internal file share server used by employees, w

Unknown · September 1, 2025

Prosper Marketplace, Inc.

On September 1, 2025, Prosper Marketplace identified that an unauthorized third party gained access to company systems containing proprietar

Unknown · June 12, 2025

Aflac Incorporated

On June 12, 2025, Aflac Incorporated identified unauthorized access to its network and contained the intrusion within hours. The company com