SoFi Hong Kong Reports Data Breach via Third-Party Vendor SoFi Hong Kong, a subsidiary of U.S.-based financial technology company SoFi, has disclosed a data breach after hackers accessed a customer database through a third-party vendor. The incident was detected on April 30, 2026, when unauthorized access to a database belonging to SoFi Securities (Hong Kong) Limited was identified. SoFi engaged a third-party cybersecurity firm to investigate the breach, though the full scope and impact remain unclear. In emails sent to affected customers, the company stated it has not yet determined which specific data may have been exposed. A SoFi spokesperson confirmed the breach to BleepingComputer but declined to provide further details, including the number of impacted customers, whether extortion was involved, or the identity of the compromised vendor. While the exact data at risk has not been disclosed, SoFi advised customers to watch for phishing attempts, suspicious communications, and unusual account activity. The company has implemented additional safeguards, including enhanced monitoring of affected accounts and potential verification requirements for support interactions or account changes. Customers seeking assistance were directed to a Hong Kong support line (+852 26938888) and email ([email protected]). The investigation remains ongoing.

M&T Bank Data Breach Exposes Sensitive Customer Information via Third-Party Provider In August 2025, M&T Bank a major financial institution headquartered in Buffalo, New York, with over 960 branches across 12 states discovered a data breach stemming from a security incident at one of its third-party service providers. While the bank’s own systems remained unaffected, unauthorized access to files containing customer data occurred within the vendor’s environment. The breach, disclosed to the Massachusetts Attorney General on April 17, 2026, exposed sensitive personally identifiable information (PII) of M&T Bank customers, including names, Social Security numbers, driver’s licenses, credit/debit card numbers, and financial account details. In Massachusetts alone, 462 individuals were confirmed as impacted. Class action law firm Shamis & Gentile P.A. is currently investigating the incident, assessing potential claims for affected customers who may be eligible for compensation. The breach highlights ongoing risks associated with third-party vendor security in the financial sector.

Frontwave Credit Union Reports Data Breach Affecting Member SSNs After Vendor Error Oceanside, Calif. Frontwave Credit Union, a $1.7 billion financial institution, disclosed a data breach involving member names and Social Security numbers after a service provider accidentally shared sensitive information with another credit union. The incident was reported to the California Attorney General’s Office on April 28, 2026, with the breach occurring on April 3, 2026. According to Frontwave’s notification, the credit union was alerted by the vendor on April 3 that non-public member data had been exposed. The recipient credit union, which was not named, confirmed deletion of the information. Frontwave stated there is no evidence of misuse but acknowledged the exposure of personally identifiable data. As a remedial measure, affected members are being offered 12 months of complimentary Experian IdentityWorks protection, including credit monitoring, identity restoration support, and up to $1 million in identity theft insurance. The breach appears to have been contained, with no indication of broader impact.