The regional U.S. bank Community Bank disclosed that a staff member used an unauthorized external AI application, resulting in the improper exposure of certain customers' sensitive information. The bank detailed this incident in a filing with the U.S. Securities and Exchange Commission on May 7 and has initiated notification procedures at both federal and state levels.
Includes name, date of birth, and Social Security number
The company disclosed that the exposed information included customers' full names, dates of birth, and Social Security numbers. Such data are highly sensitive personal identifiers in the United States and, if leaked, could lead to risks of identity theft and financial fraud.
The bank has not yet specified the exact number of affected customers, but has begun reaching out to those who may have been impacted. The report noted that this incident did not result from a hacker intrusion or ransomware attack, but rather from an insider entering data that should not have left the bank’s system into an external tool.
The issue stems from uncontrolled internal usage.
What makes this incident unique is that the risk did not come from a sophisticated attack, but from employees’ routine operations. As banks and financial institutions accelerate the adoption of AI tools, many employees are using chatbots or generative platforms to process documents, summarize content, or analyze data—but these services often rely on external servers.
Once sensitive information is entered into an unauthorized platform, it may escape the organization’s original security controls. For the banking industry, such issues are particularly sensitive, as the sector is already strictly governed by privacy protection and customer information management regulations.
Banks face increasing AI governance pressures
The article notes that over the past two years, multiple U.S. regulatory agencies, including the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation, have repeatedly alerted the banking sector to AI risk management. Large tech companies and financial institutions have previously temporarily restricted the use of generative AI tools due to employees inadvertently sharing code, business data, or confidential information.
The Community Bank incident once again demonstrates that AI tools may enter everyday business operations faster than internal policies can be updated. For financial institutions, this is not only a technical issue but may also lead to increased compliance scrutiny, legal disputes, and reputational pressure.
Additional information: Community Bank is a regional bank serving Pennsylvania, Ohio, and West Virginia.
