Auditor's Server Breach Exposes Somerset Regal Bank Customer Social Security Numbers

SR Bancorp, Inc. (SRBK) At edition (Jul 10, 2026) $141M · Live $141M

Vendor Data Breach

Company Background

SR Bancorp, Inc. (NASDAQ: SRBK) is the holding company for Somerset Regal Bank, a full-service commercial bank headquartered in Bound Brook, New Jersey with 14 branches across Essex, Hunterdon, Middlesex, Morris, Somerset, and Union Counties. With an approximate market capitalization of $140.7 million, the company had $1.14 billion in total assets as of March 31, 2026. The bank was formed through a mutual-to-stock conversion and simultaneous merger with Regal Bancorp, both completed in September 2023.

The bank has grown steadily since the merger. Net loans reached $859.1 million at March 31, 2026, up $61.9 million, or 7.8%, from June 2025, driven by commercial and residential mortgage originations. Net interest margin expanded to 3.00% for the quarter ended March 31, 2026, compared with 2.82% in the prior-year period. Asset quality remains clean: no non-performing loans were reported at March 31, 2026 and there have been no charge-offs in recent periods.

Leadership transitioned at the start of 2026. Christopher J. Pribula became President and Chief Executive Officer on January 1, 2026, succeeding William P. Taylor, who retired as CEO and became Executive Chairman of the bank. The company has also been actively repurchasing stock, retiring 761,229 shares at a cost of $12.0 million in the nine months ended March 31, 2026, and authorized a third buyback program in May 2026 for up to 801,320 additional shares.

What Was Disclosed

Mercadien, P.C. CPAs — which provides internal audit-related services to SR Bancorp and Somerset Regal Bank — discovered that an unauthorized actor had accessed and acquired files stored on Mercadien's computer servers. Those files contained personal data belonging to Somerset Regal Bank customers. According to the disclosure, the compromised information included customer names, social security numbers, account numbers, identification documents, and dates of birth.

Somerset Regal Bank's own business systems were not involved in or impacted by the incident. There was no disruption to the bank's operations, customer access to accounts or services, payment systems, or core information technology infrastructure. Customer notifications are being sent through Mercadien, as required by applicable federal and state laws and regulatory guidance.

SR Bancorp stated that as of the date of the disclosure, the incident has not had and is not expected to have a material impact on the company's consolidated financial condition or results of operations. The disclosure does not identify how many customers were affected, when Mercadien first detected the intrusion, or the scope of data exfiltrated beyond the categories listed.

Why It Matters

The combination of data types exposed — social security numbers, account numbers, and identification documents together — represents a particularly sensitive package. Customers whose information was acquired face elevated identity theft and account-takeover risk, potentially for years, even without any immediate indication of misuse. The forward-looking immateriality assessment offered as of the disclosure date does not foreclose regulatory scrutiny, civil litigation from affected customers, or the cost of expanded remediation obligations.

The incident raises a data governance question that bank regulators and examiners are likely to examine: what operational requirement caused an internal audit firm to hold a complete set of individual customer personal identifiers on its own servers? Federal and state banking regulators expect covered institutions to apply data minimization principles to third-party vendor relationships and to maintain oversight over how vendors handle sensitive customer data. The FDIC's third-party risk management guidance and equivalent state-level frameworks in New Jersey are squarely relevant here.

On the positive side, the bank's core financial position is not under stress. The loan portfolio carries no non-performing credits as of March 31, 2026, credit losses remain nominal, and net interest income has been improving. The breach appears confined to a vendor's environment and does not appear to reflect on Somerset Regal Bank's own security posture — but the bank remains responsible under applicable law for the protection of customer data regardless of where it resides.

Continue with a free account

Read up to 3 full stories per week — your choice. Pro unlocks the full edition.