Arvest Bank glitch enabled customers to see other customers' data

Arvest Bank has disclosed a data breach that temporarily allowed some bank customers to see other customers' personal information. The incident affected 7,537 people.

The incident, which the bank attributed to a "technical glitch" during routine system updates, according to a letter to affected customers, occurred on April 24, 2025. The bank said it quickly detected and resolved the incident by temporarily disabling some online banking functions. Online banking and the bank's mobile baking app regained full functionality by the afternoon of April 25.

Arvest specified in the letter to affected customers that the information involved included names, account number, account balances and account activity. The bank sent the notifications on May 9, 2025.

Arvest did not immediately respond to a request for comment.

Many states have specific regulations governing data breach notifications, often requiring companies to disclose such incidents within a time frame of 30 to 45 days from the date of discovery. For example, Maine mandates notification within 30 days. Arvest Bank took 14 days to notify customers.

Previous incidents affecting the bank

Arvest has experienced previous data incidents impacting customer information, mainly involving third-party vendors used by the bank.

Cyber security

No longer optional: Cyber risk oversight for boards

U.S. Bank and Wells Fargo attorneys say cyber governance is now a legal duty for corporate boards, not just a security staff issue.

By Carter Pape

May 1

One such incident occurred in 2022, involving Overby-Seawell Company, or OSC, a vendor that monitors hazard and flood insurance for Arvest. The breach affected OSC's systems and was the result of an unauthorized party gaining access to portions of their systems.

Arvest Bank also experienced an incident in May 2023 involving a vulnerability in MoveIt file transfer software, a vulnerability that affected at least 60 banks. That incident affected 26,388 Arvest customers, who the bank started notifying of the breach in January 2024.

MoveIt is one of the file transfer tools used by Fiserv, a vendor to Arvest Bank. A review of the affected files in that case determined that one or more files may have contained information including check images, deposit slips and remote deposit capture files. The remote deposit capture files included names, addresses, telephone numbers, account numbers and routing numbers.

Technical glitches exposing customer data

Other banks have also suffered data breaches similar to the one at Arvest that allowed some customers to see other customers' data.

For example, in 2021, JPMorganChase told customers that a technical glitch may have allowed customers to see other customers' names, account numbers, balances and transactions. In that case, the problem lasted from May 24 to July 14.

Similarly, OpenAI suffered a breach in March 2023 in which some customers were able to see other paying customers' names, email addresses, payment addresses, chat titles, credit card type and last four digits of credit card numbers.