Sefas Innovation disclosed a data breach involving unauthorized access to its SFTP server, which contained sensitive information related to Frost Bank. The breach potentially exposed names, Social Security numbers, account numbers, and other financial data. Sefas is offering affected individuals 12 months of complimentary credit monitoring and identity protection services.
Sefas Innovation Data Breach Investigation
Sefas reported a cybersecurity incident involving one of its SFTP servers used to provide software support for Frost Bank. On or about April 16, 2026, Sefas learned that an unauthorized group claimed possession of data associated with the organization it supports.
Sefas immediately launched an investigation and engaged cybersecurity specialists to determine the scope of the incident. The investigation revealed unauthorized activity on the SFTP server, including the intermittent download of certain files containing Frost Bank data between December 2025 and April 2026. The company informed Frost Bank of the incident on April 22, 2026, and began working to identify affected individuals and files. d files included tax information forms and bill pay check images. According to Sefas, these files contained personal information such as names, addresses, Social Security or taxpayer identification numbers, account numbers, dates of birth, and loan numbers. There is no evidence that the unauthorized activity extended beyond the SFTP server or continued after April 16, 2026.
In response, Sefas implemented containment measures, isolated the affected system, and worked with cybersecurity specialists to secure the environment. The company also undertook a detailed review of the Frost Bank files to understand the scope of exposure.
Sefas is providing affected individuals with access to Credit Monitoring, Credit Report, and Credit Score services through Cyberscout, a TransUnion company specializing in identity protection. Services include real-time alerts for 12 months from enrollment and proactive fraud assistance.
When Did This Breach Occur?
The unauthorized access occurred intermittently between December 2025 and April 16, 2026. The activity was discovered by Sefas on April 16, 2026, and Frost Bank was informed on April 22, 2026.
What Information Was Breached?
The files accessed on Sefas’s SFTP server potentially included:
- Name
- Address
- Social Security number or other taxpayer identification number
- Account numbers
- Date of birth
- Loan numbers
What You Can Do
If you received a notification from Sefas, carefully review it and enroll in the complimentary 12-month credit monitoring and identity protection services offered.
You should monitor bank accounts, credit reports, and financial statements for unusual activity. Consider placing fraud alerts or credit freezes with the three major credit bureaus. Keep a record of any suspicious activity and document your enrollment in the identity protection services.
File a Data Breach Lawsuit Against Sefas Innovation
If your personal information may have been exposed due to the Sefas breach, you may be eligible to pursue compensation through a data breach lawsuit. Potential compensation may include reimbursement for time, out-of-pocket expenses, identity theft, fraud, and privacy violations.
Companies that store sensitive financial and personal information have a responsibility to maintain reasonable cybersecurity protections. When those protections fail, affected individuals have legal options to seek accountability and recovery.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team.
