Massive Data Breach at Global Banking Group Exposes 28 Million Customer Records

International banking group Meridian Financial has disclosed a massive data breach affecting approximately 28 million customers across 12 countries after attackers exploited a misconfigured API endpoint in their mobile banking platform.

The breach, which occurred between January 15 and February 22, 2026, exposed customer names, account numbers, transaction histories, Social Security numbers, and encrypted password hashes. Meridian discovered the unauthorized access on February 25 during a routine security audit.

"We deeply regret this incident and are taking immediate steps to protect our customers," said Meridian CEO Patricia Walsh in a statement. "We have engaged leading cybersecurity firms to conduct a thorough investigation and have notified all relevant regulatory authorities."

Security researcher Marcus Hutchins noted that the breached API endpoint lacked proper authentication and rate limiting, calling it "a textbook example of OWASP API Security Top 10 violations." The exposed endpoint allowed unauthenticated access to customer data through predictable sequential account identifiers.

Meridian is offering affected customers two years of free identity monitoring and credit protection services. Several class-action lawsuits have already been filed in the United States and European Union. Financial regulators in multiple jurisdictions have launched investigations.