Close-up of a credit card on a laptop keyboard with a lock icon on screen

TL;DR:

  • What happened: A Community Bank employee uploaded customer names, dates of birth, and Social Security numbers into an unauthorized AI chatbot. The bank disclosed the incident in an SEC 8-K filing on May 7, 2026. [1][2]
  • What we don’t know: Which AI tool was used, how many customers were affected, how long the data was exposed, or whether the chatbot provider retained or trained on the data. The bank hasn’t answered any of these questions. [1][3]
  • Why it matters: This isn’t a hack. Nobody broke in. An employee voluntarily handed customer SSNs to a third-party AI company. That’s a fundamentally different kind of data breach, and one that every bank, hospital, and law firm using AI tools is vulnerable to right now.
  • The bigger picture: “Shadow AI” employees using unauthorized AI tools with sensitive data, is the fastest-growing data security risk in financial services. Community Bank just became the first public example. It won’t be the last. [4]

What Actually Happened

On May 7, 2026, Community Bank, a regional lender operating across southwestern Pennsylvania, Ohio, and West Virginia, filed a Form 8-K with the Securities and Exchange Commission. The filing disclosed that customer data had been fed into “an unauthorized artificial intelligence-based software application.” [1]

Translation: somebody at the bank copy-pasted customer records into an AI chatbot.

The exposed data includes customer names, dates of birth, and Social Security numbers. The bank cited “the volume and sensitive nature of the non-public information at issue” as the reason for the SEC filing, which tells you the number of affected customers isn’t small. [1][2]

Community Bank CEO John Montgomery didn’t respond to press inquiries. The bank’s public statement says it’s “evaluating the customer data that was affected” and “sending notifications in accordance with relevant laws.” [1]

That’s it. That’s the entire disclosure.

Five Questions Community Bank Won’t Answer

The SEC filing and subsequent statements leave enormous gaps:

  1. Which AI tool? Was it ChatGPT? Claude? Gemini? A random no-name chatbot? This matters because each company has different data retention and training policies. Some AI providers explicitly state they may train on user inputs. [1]
  2. How many customers? The bank won’t say. The phrase “volume and sensitive nature” in the SEC filing suggests the number is significant enough to trigger regulatory reporting requirements. [2]
  3. Was it one employee or many? The filing uses singular language, but shadow AI use is rarely one person. If one employee thought it was okay to paste SSNs into a chatbot, others probably did too.
  4. Did the AI provider retain the data? Most consumer-grade AI chatbots store conversation logs. Some use them for model training. Customer SSNs could now be sitting in a third-party company’s training data or log files. [3]
  5. What were the bank’s AI policies? Did Community Bank have a policy prohibiting the use of unauthorized AI tools? If so, it failed. If not, that’s worse.

This Isn’t a Hack. It’s Worse.

When hackers breach a company, at least the company can claim it was a victim. Firewalls failed. Patches weren’t applied. Somebody clicked a phishing email. There’s an attacker to blame.

This is different. Nobody broke in. An employee voluntarily took customer Social Security numbers and typed them into a tool that sends data to a third-party server. The bank’s own people handed the keys over.

And here’s the part that should worry every bank customer in America: this is probably happening everywhere, right now. A February 2026 survey by Cyberhaven found that 8.6% of employees have pasted company data into AI tools. In financial services, workers handle SSNs, account numbers, and financial records all day. The question isn’t whether other banks have this problem. It’s whether they’ve noticed it yet.

The Shadow AI Problem

Security professionals call it “shadow AI” employees using AI tools that their employer hasn’t approved, vetted, or even knows about. It’s the 2026 version of shadow IT, but with a critical difference: when an employee used an unauthorized spreadsheet app in 2015, the data stayed in a file on a server. When an employee pastes data into a chatbot, it goes to a third-party company’s cloud infrastructure. [4]

The banking sector is particularly exposed. Employees work with the most sensitive data that exists. Social Security numbers, financial records, transaction histories, and they’re under pressure to work faster. AI tools make them faster. The incentive structure practically guarantees data leakage.

JPMorgan Chase, Bank of America, and Goldman Sachs all restricted or banned employee use of ChatGPT by mid-2023. But those are major banks with dedicated security teams. Community Bank has 30 locations. The thousands of small and mid-size banks across the US almost certainly don’t have AI governance policies, or if they do, they can’t enforce them.

The Regulatory Gap

Community Bank initiated FDIC notification protocols for computer-security incidents and says it’s been in communication with banking regulators. [3] But existing regulations weren’t designed for this scenario.

Current breach notification laws assume an attacker. They define incidents in terms of “unauthorized access” by outsiders. When the access is authorized, an employee doing their job, but the tool they use isn’t, the regulatory framework gets fuzzy.

The FDIC requires banks to report “computer-security incidents” that cause actual harm or that involve the bank’s core systems. An employee pasting data into a chatbot doesn’t neatly fit either category. Community Bank filed anyway, which suggests their lawyers are worried enough to over-disclose rather than under-disclose.

No federal banking regulator has issued specific guidance on employee use of generative AI with customer data. The OCC, FDIC, and Federal Reserve have issued general statements about AI risk management, but nothing that says: “Here are the rules for AI chatbots and customer PII.” That gap is now a documented breach.

What You Should Do

  • If you’re a Community Bank customer: You should receive a notification letter. When you do, freeze your credit with all three bureaus (Equifax, Experian, TransUnion). Your SSN is now potentially in a third-party AI company’s logs. Treat this like any other SSN exposure.
  • If you bank anywhere: Ask your bank whether they have a policy on employee use of AI tools with customer data. Ask if they use data loss prevention tools that detect when sensitive data is being pasted into external applications. You probably won’t get a straight answer, but the question itself pushes institutions to think about it.
  • If you use AI chatbots at work: Never paste customer data, patient data, student data, or any personally identifiable information into a chatbot. Use synthetic data or anonymized examples instead. If your employer doesn’t have an AI use policy, that’s a red flag, not permission.

The Takeaway

Community Bank is a small regional lender that most people have never heard of. But this breach matters because it’s the first public, SEC-documented case of what security experts have been warning about for two years: employees feeding sensitive data into AI tools that their employers can’t control.

The bank won’t name the chatbot. Won’t say how many customers are affected. Won’t explain how an employee got that much customer data into an external tool without anyone noticing.

Somewhere, right now, an employee at another bank is pasting a customer’s Social Security number into a chatbot to auto-fill a form, summarize an account, or draft a letter. They don’t think of it as a data breach. They think of it as getting work done.

That’s the problem.

Related: 42 Attorneys General vs. Big AI

Sources

  1. TechCrunch: US bank discloses security lapse after sharing customer data with AI app (May 12, 2026)
  2. The Register: US bank reports itself after slinging customer data at ‘unauthorized AI app’ (May 12, 2026)
  3. SC Media: Community Bank customer data exposed via unauthorized AI software (May 2026)
  4. Yahoo Finance: Bank Employee Drops Customer Data Into AI Chatbot, Exposes Thousands (May 2026)