The $9.5 billion-asset Patelco Credit Union in Dublin, California, disclosed in a public filing last week that personal information of 726,000 current and former members and employees was accessed during a ransomware attack in June.
Additionally, in a separate public notice filed Friday, the $4.8 billion Texas Dow Employees Credit Union in Lake Jackson, Texas, indicated on July 30 that personal information of 500,474 members may have been deleted in May 2023 due to a breach of third-party MOVEit file transfer software. The credit union currently serves 376,092 members.
Patelco CU President and CEO Erin Mendez said Aug. 20 that the credit union’s investigation confirmed that a database containing personal information of current and former members and employees was accessed in the June 29 ransomware attack, but did not disclose how many current and former members and employees were affected.
Ransomware hackers took down most of Patelco’s online and mobile banking systems on June 29, causing significant inconvenience to members. While some members expressed anger and concern, others took the outage in stride and supported Patelco’s around-the-clock efforts to restore service on July 13. Information from the Patelco database that was accessed included first and last names, Social Security numbers, driver’s license numbers, dates of birth, and/or email addresses. Not all data elements were present for every individual.
On August 23, TDECU announced that an investigation on July 30 revealed that certain files containing personal information of TDECU members may have been deleted from the vendor’s software by malicious actors between May 29 and 31, 2023. The affected data included full names combined with dates of birth, Social Security numbers, bank/financial account numbers, credit/debit card numbers, driver’s license/government issued IDs, taxpayer identification numbers, and more.
TDECU used a third-party software vendor, MOVEit, to transfer the credit union’s data. In May, the vendor’s software was compromised in a massive attack that affected thousands of organizations, government agencies, private companies, and financial institutions around the world. Over 20 million individuals were affected. As part of the attack, specific TDECU data may have been viewed or obtained by malicious actors, but the credit union’s overall network security was not compromised.
Following the incident, TDECU has hired an outside cybersecurity expert to launch an investigation to determine the scope of the compromise of information on the credit union’s network. TDECU says the overall security of its network is not affected.
However, the credit union’s investigation also determined on July 30, 2024 that certain files containing personal information of TDECU members may have been deleted from MOVEit between May 29-31, 2023 by a malicious actor.
TDECU said there have been no reports of identity or financial fraud occurring as a result of this incident.
“While this incident did not result from a breach of TDECU systems, we are continually evaluating and revising our practices and controls to enhance the security and privacy of our members’ personal information,” TDECU said in a letter to members.
TDECU did not respond to a request for comment Monday about whether the data breach also affected former credit union members or employees.
Both credit unions offer free credit monitoring services to their members.
