Breach taxonomy
Summary
In March 2025, MainStreet Bancshares was notified that an outside vendor to its core banking system had been compromised. The company activated its incident response process and initially assessed the incident as likely non-material. A completed review on April 28, 2025 determined that the third-party vendor's compromised system included personally identifiable information on approximately 4.65% of MainStreet's customer base. The company confirmed that its own IT systems and networks were not compromised, no unauthorized transactions were executed, and customers were able to continue banking normally. Filed under Item 8.01; materiality not yet determined as of filing date.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident to a specific actor → UNKNOWN.
MethodsData ExfilSupply Chain
The breach originated at a third-party core banking vendor that was compromised, enabling access to customer PII → DATA-EXFIL + SUPPLY-CHAIN.
AssetsPersonal Data
Filing discloses that personally identifiable information on approximately 4.65% of the company's customer base was exposed through the compromised vendor system → PERSONAL-DATA.
EffectsInfo Privacy Loss
Unauthorized access to customer PII with no operational disruption, no unauthorized transactions, and customers able to continue banking normally → INFO-PRIVACY-LOSS.
Business continuityNot Required
Filing confirms the company's own IT systems were not affected, customers could continue transactions, and no operational disruption occurred → Not Required.
Impact
PII exposed on a small subset (~4.65%) of the customer base via a third-party vendor breach; company confirmed no financial transactions were affected and the incident was not material → score 2.
InsuranceNot disclosed
Filing makes no mention of insurance → null.
Read the original SEC filing excerpt
Item 8.01 Other Events. On May 30, 2025, MainStreet Bancshares, Inc. (the Company) determined to report information related to a data security incident which it has been investigating. In March 2025, the Company was made aware that an outside vendor to the core bank had been compromised. The Company immediately activated its incident response process to investigate and remediate the incident and initially concluded that the incident's impact would likely not be material. Although each vendor undergoes a thorough security vetting process, we swiftly ceased all activity with this provider. On April 28, 2025, we concluded our own review and determined the third-party vendor's compromised system included personally identifiable information on a small subset of our customer base, approximately 4.65%. The Company determined that its own information technology systems and networks had not been compromised or affected, no unauthorized transactions had been executed, no monies had been transferred to the unknown persons, and customers had been able to continue to execute transactions with the Company. The Company has notified appropriate regulators. On May 26, 2025, appropriate monitoring systems were established and the impacted customers were notified and provided tools to monitor any suspicious activity. The incident has not had a material impact on the Company's current operations, and the Company does not anticipate any material impact on the Company's financial condition, results of operations, reputation, relationships, or prospects.