Truist suffers data breach, hackers claim it affects 65,000 employees

On Friday, Truist acknowledged an October data breach that, according to a threat actor advertising the stolen data on a forum, includes data on 65,000 employees.

"In October 2023, we experienced a cybersecurity incident that was quickly contained," a spokesperson for Truist said. "In partnership with outside security consultants, we conducted a thorough investigation, took additional measures to secure our systems, and notified a small number of clients last fall."

The spokesperson did not say who was behind the breach, how it occurred nor whether the thieves demanded a ransom payment. The Truist spokesperson did not acknowledge the threat actor's claim of having source code or employee data, except to say that the bank was "providing awareness to teammates."

On Wednesday, threat actor Sp1d3r posted an advertisement for the stolen data on BreachForums, an online marketplace for such data. Besides data on employees including emails, phone numbers and street addresses, the threat actor also claimed to have bank transaction data including names, account numbers and balances. The group listed the data for the price of $1 million.

Sp1d3r also claimed to have "IVR funds transfer source code." IVR likely refers to interactive voice response, the automated telephone system technology that enables callers to receive or provide information, or make requests using voice or menu inputs, without speaking to a live agent.

Sp1d3r has become most known recently for advertising data stolen from Snowflake, a cloud storage company. Notable victims whose data Sp1d3r has put up for sale include Advance Auto Parts, LendingTree subsidiary QuoteWizard and Live Nation subsidiary Ticketmaster. In all cases, the stolen data was hosted on Snowflake, according to the threat actor.

According to Truist, the October breach is "not linked to Snowflake," and the bank has found "no evidence of a Snowflake incident at our company." This claim aligns with analysis from Google Cloud-owned cybersecurity firm Mandiant, which found that the earliest evidence of access by a threat actor to data hosted on Snowflake was April 14 — months after Truist said it suffered its breach.

According to the Truist spokesperson, the bank has found "no indication of fraud arising from this incident at this time, but out of an abundance of caution and to provide care, we're making identity protection services available at no cost."

"Based on new information from the ongoing investigation of the October 2023 incident, we have notified additional clients," the Truist spokesperson said Friday. "We sincerely apologize for any concern or inconvenience these notices may have caused."