On August 26 and 27, 2019, an unauthorized third party accessed the Organization?s systems. The Organization investigated and determined a hacker logged into a merchant account on the Organization?s platform using valid login credentials. The hacker was able to exploit a vulnerability allowing them to gain access to personal information relating to loan applications for other merchants. The hacker did this by creating a script to export the personal information from the platform through a non-public application programming interface (API). This API was the source of the vulnerability. It is not known how the hacker came to be in possession of valid credentials. While all data is encrypted at rest in the Organization?s database, the affected API decrypts data in order to display it to merchants.