Community Bank employee used unauthorized AI, exposed data

Community Bank reported in an SEC Form 8-K filed May 7, 2026 that an employee used an unauthorized AI application, resulting in the exposure of customer names, dates of birth and Social Security numbers.

The regional lender, which operates in Pennsylvania, Ohio and West Virginia, said the incident occurred when an employee submitted customer information to an outside AI tool. The filing states the exposure was not the result of an external cyberattack or a software exploit.

The bank did not disclose the number of customers affected. Community Bank has begun regulatory notifications and direct outreach to potentially impacted customers to meet state and federal requirements.

The filing described the compromised data fields as sensitive and characterized the incident as high-severity. An internal assessment is underway to determine the full scope and impact.

The bank noted it has followed state notification rules and federal guidance in contacting customers and alerting regulators. The filing also acknowledged the potential for litigation and regulatory review depending on the outcome of the investigation.

Federal banking regulators, including the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation, have identified AI risk management as an area of supervisory attention. The filing indicates an employee was able to route regulated information to an unauthorized third-party AI service.

Community Bank said it is following incident response procedures, working to contain the exposure and communicating with regulators and affected customers. The filing did not identify which AI service was used, whether the third party retained the data, or whether any downstream misuse of the information has been detected.

The bank’s 8-K and customer notifications will be followed by further updates as the internal review and regulator assessments proceed.