Chico bank suffers data breach after February cyber attack

Tri Counties Bank in Chico, California, suffered a data breach during a cybersecurity incident that took place in February, the latest fallout of an apparent ransomware attack by criminal group Black Basta.

The group published photos of identity documents including passports and driver licenses it says it stole from the bank, but the total scope of the breach is unclear so far.

The bank is aware of the alleged data breach and is working with third-party forensic specialists to identify what data exactly the group stole, according to Tom Kane, senior vice president and director of marketing for Tri Counties Bank.

Brett Callow, a threat analyst for cybersecurity research firm Emsisoft, noticed the claim of a breach and posted a tweet about it Monday morning. The bank had suffered an outage to its ATM network and other systems in February by virtue of a cybersecurity incident, though it is unclear whether that incident is related to the ransomware campaign.

"Cyberattacks on financial institutions are always concerning, and that's especially true at this point in time as confidence in banks is low," Callow said. "If customers can't access their money via ATMs, it could well cause a panic."

Black Basta has claimed multiple other victims so far this year including Advance America, a lender based in Spartanburg, South Carolina. The scope of that breach is also unclear.

Representatives for Advance America did not respond to a request for comment.

Black Basta first became active in April 2022, when cybersecurity news site Bleeping Computer reported the group had claimed 12 victim companies. In total, the group has claimed compromises of at least 200 companies.

One strain of malware the company has used especially against U.S. firms is called Qakbot; the U.S. Department of Health and Human Services said cybercriminals first used the malware in a major way in 2020.

DHHS published a report last week with additional information about the group, specifically focused on its impact on U.S. healthcare institutions, including ties the group apparently shares with another ransomware group, Conti. That group dissolved in 2022 after some members announced their alignment with Russia following the country's invasion of Ukraine, and other members began sabotaging the group by leaking source code and chat logs.

"For now, while [it is] impossible to state that Conti rebranded as or that some previous members of Conti are in Black Basta, the connections shared between both groups support the premise of some collaboration," the report said.