SR Bancorp Discloses Vendor Data Breach Exposing Certain Customer Records

SRBKenforcement

July 10, 2026

share

SR Bancorp, Inc., the holding company for Somerset Regal Bank, filed a Form 8-K with the Securities and Exchange Commission on July 10, 2026, disclosing a data security incident at one of its third-party vendors. The filing indicates that Mercadien, P.C. CPAs, which provides internal audit-related services to the company and the bank, discovered unauthorized access to its computer servers.

According to the filing, an unknown actor accessed and acquired certain files stored on Mercadien's systems. Those files contained sensitive customer data belonging to Somerset Regal Bank, including names, Social Security numbers, account numbers, identification documents, and dates of birth. The company emphasized that the bank's own business systems, operations, payment systems, and core information technology infrastructure were not involved in or disrupted by the incident. Customer access to accounts and services was not affected.

The bank is providing customer notifications through Mercadien, as required by applicable federal and state laws and regulatory guidance. SR Bancorp stated that, as of the date of the disclosure, the incident has not had a material impact on its consolidated financial condition or results of operations, and it does not expect one to materialize. The filing includes standard forward-looking statement caveats noting that the ongoing assessment of the incident, potential misuse of the data, and resulting legal or regulatory risks could cause actual outcomes to differ.

This disclosure follows a pattern of heightened regulatory attention to cybersecurity across the financial services industry, where third-party vendor breaches remain a persistent source of risk. While the company's core systems were untouched, the exposure of detailed personally identifiable information through an audit provider highlights the indirect channels through which customer data can be compromised. The filing serves as the company's official notice to investors that it is managing the fallout from the vendor's security failure, though it has not quantified the number of affected customers or detailed any specific regulatory inquiries at this stage.

Original filing →

Record Alpha uses automated systems to identify and summarize public filings, court records, and regulatory actions as they become available. Every article links directly to the primary source document so readers can verify details firsthand. This content is for informational purposes only and is not investment, legal, or financial advice. Full disclaimer →

DisclaimerPrivacyTermsContact

© 2026 Record Alpha. All rights reserved.