Community bank MainStreet Bancshares says thieves stole data belonging to some of its customers during an attack on a third-party provider.

Showing how vendors along the supply chain are often the weak link, the holding company that primarily oversees MainStreet Bank told America’s Securities and Exchange Commission (SEC) about the snafu on Friday, saying it was made aware of a break-in at the provider back in March.

By April 28, it confirmed its own data was part of the stolen loot, to be exact data belonging to circa 4.65 percent of its total customer base.

The business-focused bank has not made the number of its customers publicly available. However, offering some insight into its scale, its most recent results stated that in 2024 total deposits grew 13 percent to $1.9 billion, and its revenues for the past 12 months were $135 million, according to the FT. 

Fairfax, VA-based MainStreet Bank operates around 55,000 ATMs and runs just six branches across Virginia and Washington DC, and has “well over 1,000 businesses” signed up for its Put Our Bank in Your Office on-prem banking offering.

The holding company confirmed via its Form 8-K filing with the SEC that its own technical infrastructure was not compromised, nor had any unauthorized transactions or monies been transferred.

The attack on the third-party vendor, which was not identified, also didn’t impact MainStreet’s operations or finances.

It said after being alerted to the attack, MainStreet “immediately activated its incident response process to investigate and remediate the incident and initially concluded that the incident’s impact would likely not be material. 

“Although each vendor undergoes a thorough security vetting process, we swiftly ceased all activity with this provider.”

It went on to confirm “on May 26, 2025, appropriate monitoring systems were established and the impacted customers were notified and provided tools to monitor any suspicious activity.”

Rid of requirements

Just as the UK gears up to increase its mandatory requirements for reporting cyberattacks, leaders at US banking bodies are already sick of the equivalents in the US and are lobbying for their repeal.

The Item 1.05 rule – the specific part of the SEC’s Form 8-K that requires regulated US entities to disclose cybersecurity or data security failings – came into force in December 2023. Since then, hundreds of organizations have been forced to disclose their respective attacks and data thefts.

According to an open source tracker created by Andrew Hoog, the total number of cyber snafus disclosed via 8-Ks is 221.

An open letter [PDF] signed by SIFMA, the American Bankers Association, Bank Policy Institute, Independent Community Bankers of America, and the Institute of International Bankers, asked the SEC last week to drop the Item 1.05 rule for a number of reasons.

The banking bodies took aim both at the Form 8-K requirements and the Form 6-K rules for foreign private issuers, but it’s the 8-K Item 1.05 that leads to the vast majority of data disclosures.

The rules mandate rapid disclosure, and this can mean attacks are publicized prematurely, before thorough investigations can be completed, the bankers complained.

They also argued that these filings fail to provide investors with meaningful, or actionable information to inform their investment decisions, and that banks are often confused about which section of a filing they should be detailing their data failings.

Item 1.05 is reserved for material data events, while Item 8.01 is for immaterial incidents. The confusion around what passes for “material” isn’t new, and the SEC was forced to issue a clarification last year as a result, but banks apparently still can’t wrap their heads around it.

Lastly, the bodies claimed these filings are being used as leverage by criminal extortionists, a tactic spearheaded by the now-shuttered ALPHV/BlackCat ransomware group.

The letter reads: “these requirements impose additional risks, cost, and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation, while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors.”

The five banking bodies “respectfully request” that the SEC drop its Item 1.05 rule, and said they’d be happy to work with the regulator to develop “a balanced cyber disclosure regime that acknowledges national security realities while not losing sight of the SEC’s investor protection mandate.” ®