U.S. bank disclose security lapse after sharing customer data with AI app

Community Bank, operating in Pennsylvania, Ohio, and West Virginia, disclosed a cybersecurity incident involving the exposure of customer data due to the use of an unauthorized AI-based software application, according to an SEC filing dated May 7, 2026.

The bank reported that customer names, dates of birth, and Social Security numbers were exposed as a result of the incident. The breach was identified after the bank detected the use of an unapproved AI application that may have involved uploading customer data to an online chatbot platform. Community Bank has not disclosed the exact number of affected customers or the specific AI tool involved but stated it is evaluating the scope of the data exposure and is sending notifications in compliance with relevant laws. The incident was first reported by The Register and confirmed by the bank’s SEC filing.

Why It Matters

This incident highlights the growing risks associated with the use of AI tools, especially when used without proper security controls. It raises concerns about how financial institutions manage sensitive customer data and the potential vulnerabilities introduced by third-party AI applications. The breach could undermine customer trust and attract regulatory scrutiny, emphasizing the importance of strict cybersecurity protocols in banking.

Background

Security lapses involving AI tools are increasingly coming to light as organizations adopt more advanced technologies. In this case, Community Bank’s disclosure follows recent industry warnings about the risks of sharing sensitive data with AI platforms. The incident occurs amid broader concerns over data privacy and cybersecurity in the financial sector, where regulatory bodies have been emphasizing stricter controls.

“We are taking this incident very seriously and are actively investigating the scope of the data exposure.”

— Community Bank CEO John Montgomery

“The bank detected an exposure of customers’ personal data due to the use of an unauthorized artificial intelligence-based software application.”

— SEC filing, Community Bank

What Remains Unclear

It is not yet clear how many customers were affected, what specific AI application was involved, or the full extent of the data exposure. Details about how the breach occurred and whether it was due to internal or external factors remain under investigation.

What’s Next

Community Bank is expected to complete its evaluation of the affected data, notify impacted customers, and implement enhanced security measures. Regulatory agencies may also investigate the incident, and further disclosures could follow as more details emerge.

Key Questions

What specific data was exposed in the breach?

Customer names, dates of birth, and Social Security numbers were reported to be exposed.

How did the breach happen?

The bank stated it was due to the use of an unauthorized AI application, but the exact details of how data was uploaded or shared are still under investigation.

Is my personal data safe now?

The bank is actively evaluating the incident and notifying affected customers. It is recommended to monitor your accounts and report any suspicious activity.

Will there be regulatory penalties?

Potential regulatory action is possible, depending on the findings of the investigation and compliance with data protection laws.