First National Bank of Clarksdale Breach: Network Intrusion Exposes SSNs

Community Bank in Mississippi Delta Hit by Targeted Network Intrusion

First National Bank of Clarksdale (FNBC), a community bank headquartered at 402 E. 2nd St. in Clarksdale, Mississippi, filed a breach notification with the Maine Attorney General on September 24, 2025, disclosing that an unauthorized actor gained access to its computer network between June 4 and June 5, 2025. During that narrow access window, the intruder obtained files containing names, Social Security numbers, and financial account numbers.

The Maine filing identifies just one affected resident in the state. FNBC did not disclose the total number of individuals affected across all jurisdictions -- a gap that is common in Maine AG filings from smaller institutions, where the total count may be modest enough to avoid broader reporting thresholds. The low Maine figure suggests limited geographic reach beyond FNBC's core Mississippi Delta service area, but the types of data compromised -- SSNs and bank account numbers -- make this incident significant regardless of volume.

FNBC is a small community bank serving Clarksdale and the surrounding Coahoma County region. Community banks of this size rarely make national breach headlines, but they hold the same categories of sensitive customer data as the largest institutions, and they face the same threat actors with a fraction of the defensive resources.

Timeline: 112 Days From Intrusion to Notification

The sequence from breach to disclosure reveals a timeline familiar to anyone tracking community bank incidents:

• June 4-5, 2025 -- Unauthorized access to FNBC's computer network. The intruder obtains files containing customer personal information during a window of approximately one to two days.
• Post-incident -- FNBC launches an investigation, working to determine the scope of compromised data and identify affected individuals.
• September 8, 2025 -- Investigation concludes with identification of the specific data and individuals affected.
• September 24, 2025 -- FNBC sends notification letters to affected individuals and files the breach report with the Maine Attorney General.

Total elapsed time from intrusion to consumer notification: approximately 112 days. Of that, 96 days were consumed by the investigation, and 16 days elapsed between completing the data review and notifying affected individuals. The 16-day notification window after identification is reasonable. The 96-day investigation period is where the delay accumulates.

For a community bank, a three-month investigation timeline is not unusual. These institutions often lack dedicated forensic capabilities and must engage third-party incident response firms that may have their own scheduling constraints. Contrast this with major banks, which maintain internal digital forensics teams and can initiate investigations within hours. The resource gap translates directly into notification delay, leaving affected individuals exposed for longer.

What Data Was Exposed

The notification confirms three categories of compromised data, all classified as high-risk:

Social Security numbers. SSNs remain the most dangerous data element in any breach. They are permanent, cannot be reissued without extraordinary circumstances, and serve as the primary identifier across the U.S. financial system. A compromised SSN enables identity theft, fraudulent credit applications, tax refund fraud, and synthetic identity creation. The risk persists indefinitely -- there is no expiration date on SSN-based fraud.

Financial account numbers. When account numbers are compromised from the bank that holds them, the risk is direct and immediate. An attacker with a valid account number from the issuing institution can attempt unauthorized ACH debits, fraudulent wire transfers, and account takeover. This is not a peripheral data exposure -- it is core banking information that can be weaponized against the account holder's own deposits.

Names. The linking element that ties SSNs and account numbers to specific individuals, enabling targeted exploitation rather than opportunistic fraud.

The combination of SSNs and financial account numbers from a bank is particularly dangerous. Unlike breaches that expose only marketing data or contact information, this combination gives an attacker the tools to move money. Account numbers confirm where the funds are. SSNs provide the identity verification layer needed to redirect them.

How the Attack Happened

FNBC characterized the incident as unauthorized access to its computer network -- a hacking-based network intrusion. The notification does not specify the initial access method, the specific systems compromised, or whether the attacker deployed malware, exploited a vulnerability, or used stolen credentials. This level of detail is typical for community bank breach notifications, which tend to describe the outcome (files obtained) rather than the technical mechanism.

The one-day access window is noteworthy. A June 4-5 intrusion that successfully exfiltrated files containing SSNs and account numbers suggests either a targeted, rapid attack or an intrusion that was detected and contained quickly. Both scenarios are plausible. Targeted attacks against community banks often involve pre-positioned access -- an attacker who has already conducted reconnaissance and knows exactly where to find sensitive data. Quick containment, on the other hand, would indicate that FNBC's detection capabilities functioned as intended, even if they could not prevent the initial breach.

This short-window intrusion pattern has appeared in other bank-sector incidents we have tracked. The Anderson Bancshares breach, disclosed in December 2025, involved a third-party compromise that exposed 3,272 customers' SSNs, account numbers, and dates of birth. While that incident stemmed from a vendor failure rather than a direct network intrusion, the data types compromised and the downstream risk profile are nearly identical. Community banks face the same data exposure outcomes regardless of whether the attack enters through their own network or through a vendor's.

Who Is Affected

The Maine AG filing identifies one Maine resident as affected. The total number of individuals impacted across all states is not disclosed in the filing. FNBC is a community bank with a limited geographic footprint -- its customer base is concentrated in Clarksdale and the surrounding Mississippi Delta region. The total affected count is likely small relative to larger institutional breaches, though FNBC has not confirmed a number publicly.

FNBC is offering affected individuals identity and credit monitoring services through Epiq Privacy Solutions ID. The remediation package includes three-bureau credit monitoring, $1 million in identity theft insurance coverage, and dark web monitoring. The provision of three-bureau monitoring and insurance coverage signals that FNBC's incident response team assessed the data exposure as high-severity -- banks do not offer this level of remediation for low-risk exposures.

Even a small number of affected customers with SSN and account number exposure face meaningful risk. The per-individual impact does not scale with the total breach count. One person whose SSN and bank account number are in the hands of an attacker faces the same identity theft and account fraud risk whether 10 or 10,000 other people were also compromised.

Regulatory Implications for a Community Bank

FNBC operates under the regulatory framework that governs all U.S. commercial banks. As a national bank or state-chartered institution (the filing does not specify), FNBC falls under the supervision of either the OCC or Mississippi's Department of Banking and Consumer Finance, along with the FDIC as its deposit insurer.

The Gramm-Leach-Bliley Act (GLBA), Section 501(b), requires financial institutions to establish administrative, technical, and physical safeguards for customer information. The Interagency Guidelines Establishing Information Security Standards, issued jointly by the OCC, FDIC, and Federal Reserve, mandate that banks develop written information security programs proportionate to their size and complexity. A network intrusion that results in the exfiltration of SSNs and account numbers will prompt examiners to review whether FNBC's information security program identified network intrusion as a threat scenario and whether controls were in place to detect and prevent unauthorized access.

The FFIEC IT Examination Handbook sets baseline expectations for access controls, network segmentation, intrusion detection, and incident response. For community banks, the challenge is that these standards are technology-agnostic and scale-agnostic -- the same expectations apply to a bank with $50 million in assets and one with $500 billion. Community banks must meet FFIEC examination standards with budgets that may not support dedicated security staff, 24/7 monitoring, or advanced threat detection tooling.

The FDIC has published guidance specifically addressing community bank cybersecurity, acknowledging the resource constraints these institutions face while maintaining that the obligation to protect customer data does not diminish with institutional size. The 2023 interagency guidance on computer security incident notification requires banks to notify their primary federal regulator within 36 hours of a significant incident. Whether FNBC's June 4-5 intrusion triggered this reporting threshold depends on how the bank classified the incident at the time of discovery.

State-level requirements add to the compliance burden. Mississippi's data breach notification statute requires notice without unreasonable delay. Maine requires notification "as expediently as possible." For a community bank with limited legal and compliance staff, managing multi-state notification obligations from a single incident consumes resources that could otherwise support remediation.

The Bigger Picture: Community Bank Cyber Risk

Community bank cybersecurity is a structural challenge that regulators, industry groups, and the banks themselves recognize but have not solved. FinSecLedger's breach tracker has documented multiple bank-sector breaches in recent months, including Texana Bank (1,324 customers affected by email compromise) and Artisans' Bank (32,344 customers exposed through a vendor breach). The threat surface is broad, the attack vectors are varied, and the affected institutions share a common profile: small banks with limited cybersecurity budgets facing threat actors who do not adjust their tactics for institutional size.

The FS-ISAC provides threat intelligence sharing for financial institutions of all sizes, including community banks, and has consistently identified network intrusion and credential-based attacks as top threats to smaller institutions. The FBI's Internet Crime Complaint Center (IC3) tracks cybercrime complaints from financial institutions and has documented increasing targeting of community banks and credit unions by organized threat groups.

The Federal Reserve Bank of New York's 2024 report on community bank resilience identified cybersecurity as one of the top operational risks facing smaller institutions. The report noted that community banks increasingly rely on shared technology service providers and managed security services to bridge capability gaps -- a strategy that can improve security posture but introduces its own concentration risk, as the Marquis Software Solutions incident demonstrated across the credit union sector.

FNBC's breach is a single data point in a larger pattern. A one-day network intrusion at a Mississippi community bank may not generate the attention of a million-record breach at a national institution, but the exposed data types -- SSNs and bank account numbers -- create the same per-individual harm. The question for the community banking sector is not whether these incidents will continue but whether smaller institutions can build detection and response capabilities fast enough to limit the damage when they occur.

Action Items

For affected FNBC customers:

1. Enroll in the Epiq Privacy Solutions ID monitoring using the instructions in your notification letter. The service includes three-bureau credit monitoring, dark web monitoring, and $1 million identity theft insurance. Do not wait -- enroll immediately.

2. Freeze your credit with all three bureaus. Contact Equifax (1-800-685-1111), Experian (1-888-397-3742), and TransUnion (1-800-888-4213). A freeze is preventive -- it blocks new accounts from being opened using your identity. It is free under federal law.

3. Contact FNBC about your account numbers. Ask whether your compromised account numbers should be changed. The bank's notification does not address this step, but exposed account numbers create direct fraud risk that monitoring alone does not prevent.

4. Request an IRS Identity Protection PIN. Apply at irs.gov/ippin to prevent fraudulent tax returns filed using your SSN.

5. Monitor your FNBC accounts daily. Watch for unauthorized transactions, unfamiliar ACH debits, and changes to your contact information or online banking credentials. Report anything suspicious to FNBC immediately.

For peer community banks:

6. Assess your network intrusion detection capabilities. Can your current tooling detect and alert on unauthorized network access within hours, not days? If your bank relies solely on periodic log reviews, evaluate managed detection and response (MDR) services that provide continuous monitoring at a price point accessible to community institutions.

7. Review your incident response plan. The 96-day investigation timeline at FNBC is common but not inevitable. Pre-establishing relationships with forensic investigation firms, maintaining current asset inventories, and conducting tabletop exercises can reduce investigation timelines significantly when an incident occurs.

8. Evaluate data segmentation. Files containing SSNs and account numbers should not be accessible from the same network segments as general employee workstations. Network segmentation limits the blast radius of a network intrusion and can prevent an attacker with initial access from reaching the most sensitive data stores.