Orrstown Financial Services recently disclosed a data security incident involving a third-party vendor that may have exposed sensitive customer information. While Orrstown Bank’s internal systems were not compromised, certain customer data may have been accessed through the vendor’s environment.
Orrstown Bank’s Data Breach Investigation
Orrstown Financial Services, which operates as Orrstown Bank in Pennsylvania and Maryland, recently reported a data security incident involving one of its third-party service providers. According to a Form 8-K filed with the U.S. Securities and Exchange Commission (SEC), the company learned on May 21, 2026, that an unnamed vendor had experienced a data breach involving unauthorized access to sensitive customer information.
The disclosure indicates that the incident occurred within the vendor’s environment and did not involve a compromise of Orrstown’s own systems. Nevertheless, because the vendor maintained information related to certain Orrstown customers, the unauthorized access may have affected customer data entrusted to the third party.
Third-party vendor breaches have become increasingly common across the financial services industry. Banks and financial institutions frequently rely on outside vendors for services such as data storage, communications, customer support, document processing, and technology infrastructure. While these partnerships can improve efficiency, they may also create additional cybersecurity risks when sensitive information is shared with external organizations.
At the time of the SEC filing, Orrstown had not publicly disclosed the specific categories of information involved in the incident. The company indicated that it was working to determine the scope of the breach and that affected customers would be notified as additional information becomes available.
Because the investigation remains ongoing, many important details are still unknown, including how many individuals may have been affected, how long the unauthorized access lasted, and whether any information has been misused. However, incidents involving financial institutions can be especially concerning because customer records may contain personal and financial information that could potentially be used for identity theft or fraud.
Consumers often assume that their information remains protected when shared with trusted financial institutions. When a third-party vendor experiences a security incident, affected individuals may still face risks even though the bank itself was not directly breached. As a result, customers may have questions regarding their privacy rights and legal options.
Class Action U believes consumers deserve transparency and accountability when personal information may have been exposed. Individuals who receive notification from Orrstown Bank should review any correspondence carefully and stay informed as additional details emerge.
When Did This Breach Occur?
According to Orrstown Financial Services’ SEC filing:
- Date Orrstown Was Notified of the Incident: May 21, 2026
- Type of Incident: Third-party vendor data breach involving unauthorized access to customer information
- Status: Investigation ongoing
At this time, Orrstown has not publicly disclosed when the vendor breach originally occurred or how long the unauthorized access may have lasted.
What Information Was Breached?
At the time of the disclosure, Orrstown had not identified the specific categories of information that may have been involved.
The company stated that customer information may have been exposed through the affected third-party vendor, but additional details have not yet been released.
Affected customers should monitor future communications from Orrstown Bank for information regarding:
- The specific data involved
- Whether their information was affected
- Available identity protection resources
- Additional steps recommended by the bank
What You Can Do
If you are an Orrstown Bank customer, consider taking the following precautions:
- Monitor communications from Orrstown Bank regarding the incident.
- Review bank and financial account statements regularly.
- Watch for suspicious transactions or unauthorized activity.
- Monitor your credit reports for unfamiliar accounts or inquiries.
- Consider placing a fraud alert or credit freeze if sensitive information is later confirmed to have been exposed.
- Keep copies of any notices, emails, or correspondence related to the incident.
Consumers who receive notification that their personal information was involved may also wish to explore their legal rights and determine whether they may be entitled to compensation related to the breach.
File a Data Breach Lawsuit Against Orrstown Bank
If your information was exposed in the Orrstown Bank data breach, you may have legal rights. Data breach lawsuits may seek compensation for loss of privacy, time spent dealing with the consequences of the breach, identity theft risks, out-of-pocket expenses, and other damages associated with the exposure of personal information.
Even when a breach occurs through a third-party vendor, affected consumers may have questions regarding whether adequate safeguards were in place to protect their information. Legal action can help individuals pursue accountability and encourage stronger data security practices.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team.
