Data Breach at Community Bank Mainstreet Bancshares
Community Bank Mainstreet Bancshares reported that customer data was compromised during an attack on a third-party provider. This incident highlights a common vulnerability; vendors in the supply chain can often be weak links. The holding company, which mainly manages Main Street Bank, communicated with the US Securities and Exchange Commission (SEC) regarding the breach, stating that they were aware of such intrusions as early as March.
By April 28, they confirmed that their own data was among the stolen information, affecting about 4.65% of their customers.
While specific customer counts are generally not disclosed by business-centric banks, the company recently shared that total deposits rose by 13%, totaling $1.9 billion in 2024, alongside revenues of the same amount for the past year.
Main Street Bank is based in Fairfax, Virginia, and operates around 55,000 ATMs, along with just six branches in Virginia and Washington, D.C. They currently support over 1,000 businesses in office banking.
According to a Form 8-K, the holding company reassured that neither its technology infrastructure nor its trading practices were compromised during the incident.
The breaches at unnamed third-party vendors did not seem to affect Main Street’s overall operations or financial status. In response to the warnings about the attack, Main Street activated an incident response process to assess and rectify the situation, concluding early on that the overall impact would likely be minimal.
Each vendor had undergone a thorough security assessment, yet Main Street promptly halted all transactions with the affected provider.
On May 26, 2025, Main Street implemented an appropriate surveillance system, notified impacted customers, and offered tools to monitor any suspicious activity.
Pushback on Cyberattack Reporting Requirements
As the UK prepares to enhance mandatory reporting requirements for cyberattacks, leaders in the U.S. banking sector are expressing frustration and advocating for the repeal of similar regulations. The SEC’s Item 1.05 rule in the Form 8-K, which necessitates U.S. entities to disclose cybersecurity or data security failures, took effect in December 2023. Since then, hundreds of organizations have had to report such incidents.
According to the Open Source Tracker, 221 cyber incidents have been reported through these filings. Recently, a coalition—including SIFMA and the American Bankers Association—submitted a request to the SEC to eliminate the Item 1.05 rule for various reasons.
The banking sector seeks to revise both the Form 8-K and Form 6-K requirements because the Item 1.05 leads to the bulk of disclosures. The rules mandate swift reporting, which can sometimes lead to premature public announcements of attacks, leaving institutions at a disadvantage before a complete investigation is conducted.
Banking leaders also argue that these filings often do not provide actionable information for investors and that there’s significant confusion around what qualifies as a “material” data event. The SEC has attempted to clarify this issue, but misunderstandings persist.
Moreover, the agency claims that these disclosures can be exploited by malicious actors, as seen with the now-diminished Alphv/Blackcat ransomware group. The letter from banking institutions stated, “These requirements impose additional risks, costs, and complexities on SEC registrants, undermining the SEC’s mission to foster capital formation.”
In a call for collaboration, five banking organizations asserted their desire for the SEC to remove the Item 1.05 rule while expressing their willingness to work with regulators to create a more balanced approach to cyber disclosure that considers national security and investor protection.
