Breach taxonomy
Summary
On August 14, 2025, BayFirst National Bank was notified of a cybersecurity incident at a third-party marketing services provider. On October 28, 2025, the provider confirmed that personal information of some BayFirst customers — including names, dates of birth, and Social Security/tax identification numbers — was accessed without authorization. The incident was contained to the third-party provider's environment, and no customer accounts at BayFirst were directly breached. Impacted customers will be notified directly.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident at the third-party marketing provider to any specific actor category -> UNKNOWN.
MethodsData ExfilSupply Chain
Unauthorized access to customer PII occurred at a third-party marketing services provider (SUPPLY-CHAIN) resulting in data exfiltration (DATA-EXFIL) of customer records.