As previously disclosed on April 21, 2023, Middlefield Banc Corp. (the “Company”) learned of a cyber-attack that resulted in a disruption to the computer systems of The Middlefield Banking Company (the “Bank”), the Company’s banking subsidiary. The Bank took immediate action to remediate the security vulnerability and retained a cybersecurity firm to investigate the nature and scope of the incident, evaluate our systems, identify solutions, and confirm what data had been impacted by this event, if any. The Bank also notified law enforcement.
Our forensic review has determined that nonpublic information relating to current and former employees, customers and others was obtained from our systems during this incident. While the information varies by individual, some of the types of information that may have been obtained include name, Social Security number, driver’s license information, date of birth, financial account information, medical information, passport number, payment card information, and username and password. We have begun notifying all potentially impacted individuals in accordance with applicable law. The Bank is also notifying regulatory authorities in accordance with applicable law. We will offer complimentary identity protection services to all potentially impacted individuals.
The Company does not believe the incident will have a material adverse effect on its business, operations, or financial results. The Company remains subject to risks and uncertainties due to the incident, including potential litigation, changes in customer behavior, and additional regulatory scrutiny.
Forward-Looking Information
This Form 8-K contains certain statements that may be considered forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, including the Company’s current expectations concerning the resolution of this cyber-attack and its impact on the Company’s business, operations or financial results. Such forward-looking statements include, but are not limited to, statements as to future results of operations and financial projections, express or implied statements relating to the Company’s expectations regarding its ability to contain and assess the cyber-attack and the impact of the cyber-attack on the Company’s business, operations and financial condition. Factors that could cause actual results to differ materially from those expressed or implied include the following: the ongoing assessment of the cyber-attack; legal, reputational and financial risks resulting from the cyber-attack or additional cyber-attacks; and the other factors set forth in the Company’s Annual Report on Form 10-K for the year ended December 31, 2022, and other public filings with the Securities and Exchange Commission. Forward-looking statements are based on currently available information and our current beliefs, expectations and understanding, which may change as our investigation and remediation efforts progress. Except as required by the federal securities laws, the Company undertakes no obligation to publicly update or revise any forward-looking statement, whether as a result of new information, future events or otherwise. Forward-looking statements speak only as of the date they are made, and we do not undertake to update these statements other than as required by law and specifically disclaim any duty to do so.