AI Privacy IncidentMay 7, 2026

Community Bank discloses customer data exposure through an unauthorized AI application

Vendor: Community Bank
Product: Unnamed AI application
Severity: high
Status: ongoing
Users affected: undisclosed

Summary

On May 7, 2026, Community Bank, a regional U.S. lender operating in Pennsylvania, Ohio, and West Virginia, filed a Form 8-K with the Securities and Exchange Commission disclosing that customer names, dates of birth, and Social Security numbers had been exposed through the use of "an unauthorized artificial intelligence-based software application." The bank did not name the AI tool involved and did not state how many customers were affected. The investigation is ongoing.

What happened

  • Community Bank filed an 8-K with the SEC on May 7, 2026 reporting a cybersecurity incident tied to the use of an unauthorized AI application.
  • The exposed records included customer names, dates of birth, and Social Security numbers, according to the filing.
  • The bank said it disclosed the incident "due to the volume and sensitive nature of the non-public information at issue."
  • The bank said it is "evaluating the customer data that was affected" and is "sending notifications in accordance with relevant laws."
  • The specific AI vendor, the date of the exposure, and the population affected were not disclosed in the filing.

Timeline

  • 2026-05-07 - Community Bank files Form 8-K with the SEC disclosing the exposure.
  • 2026-05-12 - TechCrunch and The Register publish the first press accounts citing the 8-K.

What the vendor has confirmed

The 8-K attributed the exposure to "the use of an unauthorized artificial intelligence-based software application" and said the investigation remained ongoing at the time of filing. No statement has been issued by the AI application provider, which the bank did not identify.

What remains unclear

  • The AI application that received the data has not been identified.
  • The number of customers whose records were exposed has not been disclosed.
  • The date the data was provided to the AI tool has not been published.
  • Whether the AI vendor has been asked to delete the data, and whether it has done so, has not been addressed in the public record.

Broader context

Disclosed exposures tied to staff use of consumer AI tools outside sanctioned channels have been a recurring category since hosted chat assistants entered the workplace. Regulated industries face additional disclosure obligations under sector-specific rules such as the Gramm-Leach-Bliley Act, which can require a public 8-K even when the operator's own systems were not directly compromised.

Sources

Selvam Sivakumar
Written by

Selvam Sivakumar

Founder, Elephas.app

Selvam Sivakumar is the founder of Elephas and an expert in AI, Mac apps, and productivity tools. He writes about practical ways professionals can use AI to work smarter while keeping their data private.

LinkedInFollow

Related Resources

news

ChatGPhish: Your Trusted AI Just Became the Phishing Surface

The ChatGPhish vulnerability turns any web page into a ChatGPT phishing attack the moment you ask it to summarize. What leaks with zero clicks, why the cloud assistant is the attack surface, and how to cut the risk.

9 min readnews

OpenAI Is Accused of Sharing ChatGPT Chats With Meta and Google

A California class action accuses OpenAI of allegedly routing ChatGPT query data to Meta and Google through Meta Pixel and Google Analytics. What the suit claims, why the leak vector is the website and not the model, and whether ChatGPT is safe for sensitive work.

7 min readnews

Claude Mythos Release: What It Means for Your Private Files

Anthropic is withholding Claude Mythos on cyber-safety grounds, but the public release lands in weeks. Here is what that means for the documents you put into AI tools, and the one move worth making first.

8 min readnews

Starlink Updated Its Privacy Policy on January 15. If You Don't Opt Out, Your Data Trains AI.

On January 15, 2026, SpaceX updated the Starlink Global Privacy Policy to allow customer data, including audio, video, and shared files, to be used for AI training. A breakdown of what changed, who's affected, and what to do today.

9 min read