Community Bank Exposed Customer Data Through Unauthorized AI App Use
Community Bank disclosed a security incident after customer information was exposed through use of an unauthorized AI-based software application, according to a filing with the U.S. Securities and Exchange Commission. The bank said the compromised non-public data included customer names, dates of birth, and Social Security numbers, and that it reported the matter because of the volume and sensitivity of the information involved. Reporting indicates the lapse may have occurred when customer data was uploaded to an online AI chatbot or similar service, though the bank has not identified the application or explained the exact mechanism.
The bank said the incident did not disrupt operations or prevent customers from accessing accounts or payment services, but it is still assessing the scope of affected data and notifying impacted individuals as required by law. Community Bank is also communicating with banking and financial regulators and pursuing remediation to prevent a recurrence. The number of affected customers remains undisclosed.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
BWH Hotels publicly discloses guest reservation data breach
BWH Hotels notified customers and publicly disclosed that a third-party data breach affected guest reservation information across its hotel brands. The company warned affected guests to watch for phishing or scam attempts using stolen reservation details.
Community Bank files SEC 8-K on AI-related customer data exposure
On May 7, 2026, Community Bank disclosed in an SEC 8-K that customer personal data was exposed through use of an unauthorized AI-based software application. The bank said the exposed information included names, dates of birth, and Social Security numbers, and that it was assessing impact, notifying affected customers, and coordinating with regulators.
BWH Hotels detects breach and takes affected application offline
On April 22, 2026, BWH Hotels discovered the intrusion affecting its reservation web application. The company said it took the application offline, revoked unauthorized access, and engaged external cybersecurity experts to investigate and strengthen safeguards.
Unauthorized access begins in BWH Hotels reservation web application
BWH Hotels said an intruder gained unauthorized access to a web application storing guest reservation information, with exposed records dating back to October 14, 2025. The affected data included guest contact and reservation details, but not payment or banking information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Community Bank customer data exposed via unauthorized AI software | brief | SC Media
scworld.com
Open sourceHackers accessed BWH Hotels reservation system for months
securityaffairs.com
Open sourceUS bank discloses security lapse after sharing customer data with AI app | TechCrunch
techcrunch.com
Open sourceU.S. bank disclose security lapse after sharing customer data with AI app | TechCrunch
techcrunch.com
Open sourceUS bank reports itself after AI customer data mishap
theregister.com
Open sourceBest Western Hotels confirms web app data breach
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI Chatbot Data Exposure and Institutional Restrictions Driven by Privacy and Security Risk
A misconfiguration in *Firebase* exposed nearly **300 million** private messages from roughly **25 million** users of the AI chatbot app **Chat & Ask AI**, after the app’s Firebase `Security Rules` were left publicly accessible. Reporting indicates the exposed data included full chat histories, bot names, and highly sensitive user prompts (including self-harm and potentially unlawful activity discussions); the issue was reported to developer **Codeway** by a researcher who also claimed to have identified similar inadvertent exposure across **103** other iOS apps, underscoring how common cloud-database misconfigurations remain as AI features are embedded into consumer applications. Separately, the **European Parliament** restricted lawmakers’ use of built-in AI tools on work devices, citing cybersecurity and privacy concerns about uploading confidential correspondence to external cloud services and uncertainty over how uploaded data may be stored, reused for model improvement, or accessed under non-EU legal authorities. In healthcare, ECRI Institute researchers warned that **AI chatbots** represent a leading 2026 health technology hazard due to safety, security, and privacy risks—particularly because many tools are not validated for clinical use—while also highlighting that IT outages (including those caused by cyberattacks) and legacy medical device issues remain major operational and patient-safety threats.
Mar 21, 2026
Marquis Software breach exposed SSNs and hit Community 1st Credit Union
Community 1st Credit Union disclosed a data breach tied to **Marquis Software Solutions**, a marketing and customer-engagement vendor that reportedly serves more than 700 banks and credit unions. Reporting indicates the vendor intrusion exposed sensitive customer data held on behalf of financial institutions, with Community 1st identifying affected individuals whose information was compromised through the third-party incident rather than a direct breach of the credit union's own network. Separate breach reporting says the Marquis incident affected **more than 1.3 million people** and exposed highly sensitive personal information, including **Social Security numbers**. The disclosures highlight the scale of third-party concentration risk in the financial sector, where a compromise at a single software provider can cascade across multiple banks and credit unions and trigger customer notifications, breach filings, and potential fraud and identity-theft concerns.
May 25, 2026
Social Engineering Breaches Exposed Customer Data at Figure and Allianz Life
Figure and Allianz Life disclosed separate breaches in which attackers used **social engineering** to gain access to systems holding large volumes of customer data. Figure said an employee was deceived into granting access, leading to the public posting of a dataset from January 2026 that contained more than **900,000 unique email addresses** as well as names, phone numbers, physical addresses, and dates of birth. Allianz Life reported that a cyberattack in July 2025 targeted data stored on **Salesforce** and was later followed by the online leak of **1.1 million unique email addresses**. The exposed Allianz Life records also included names, genders, dates of birth, phone numbers, and physical addresses, underscoring how social engineering attacks continue to drive large-scale exposure of sensitive personal information across financial services firms.
Mar 27, 2026