From the SAR instructions:
2. Computer Intrusion. For purposes of this report, computer intrusion is defined as gaining access to a
computer system of a financial institution to:
a. Remove, steal, procure or otherwise affect funds of the institution or the institution's customers;
b. Remove, steal, procure or otherwise affect critical information of the institution including customer account information or
c. Damage, disable or otherwise affect critical systems of the institution.
For purposes of this reporting requirement, computer intrusion does not mean attempted intrusions of websites or
other non-critical information systems of the institution that provide no access to institution or customer financial
or other critical information.
So if they took the password to get bank or customer info, I would also check box 35(f), and all the others applicable.
_________________________
Liability for taking my advice is limited to the amount you paid for it.