Orrstown Bank disclosed a cybersecurity incident after unauthorized access to certain systems on September 17, 2025. The breach potentially exposed sensitive personal information of approximately 83,938 individuals, including 16 Maine residents, prompting written notifications and identity protection services.
Orrstown Bank’s Data Breach Investigation
Orrstown Bank became aware of a data security incident reported by Mercadien, P.C. CPAs (“Mercadien”), which provides advisory services to the bank. On May 21, 2026, Mercadien notified Orrstown that unauthorized access to its systems may have compromised personal data. The bank immediately began evaluating the situation, coordinated with cybersecurity professionals, and provided notifications to affected individuals.
Investigators determined that the accessed information could include names, dates of birth, addresses, Social Security numbers or individual tax identification numbers, account numbers, and government-issued ID numbers, such as driver’s licenses or passports. At the time of notification, there was no evidence that the information had been misused.
As a precaution, Orrstown Bank offered affected individuals 24 months of complimentary credit monitoring and identity protection services through Experian IdentityWorks. The service provides fraud alerts, daily monitoring of credit files, and full identity restoration services if necessary. The bank has also reinforced its security practices to reduce the likelihood of future incidents.
When Did This Breach Occur?
The unauthorized access occurred on September 17, 2025, and was discovered on May 21, 2026. Written notifications to affected individuals, including Maine residents, were sent on June 11, 2026.
What Information Was Breached?
The breach potentially involved:
- Full names
- Dates of birth
- Addresses
- Social Security numbers or individual tax identification numbers
- Account numbers
- Government-issued IDs (driver’s license, passport)
No evidence indicated misuse of this information at the time of notification.
What You Can Do
Affected individuals should:
- Enroll in the 24-month Experian IdentityWorks credit monitoring and identity protection service.
- Monitor accounts and credit reports for unusual or unauthorized activity.
- Place fraud alerts or security freezes with Equifax, Experian, and TransUnion.
- Remain vigilant for phishing emails or other suspicious communications.
- Consider obtaining an Identity Protection PIN (IP PIN) from the IRS to protect against tax-related identity theft.
- Report suspected fraud or identity theft to the FTC, state attorney general, or local law enforcement.
File a Data Breach Lawsuit Against Orrstown Bank
If you received a notification from Orrstown Bank regarding this breach, you may be eligible to pursue compensation through a data breach lawsuit.
Organizations entrusted with sensitive personal information must implement reasonable cybersecurity safeguards. Unauthorized access to personal data, including Social Security numbers and government IDs, can lead to identity theft, fraud, and privacy violations.
A data breach lawsuit may help recover costs for identity protection services, time spent monitoring accounts, and emotional distress. Legal action can also encourage the organization to improve security measures and better protect consumer information.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team.
