Cybercrime , Finance & Banking , Fraud Management & Cybercrime

Credit Union Issues Belated MOVEit Data Breach Notification

Texas Credit Union Only Just Notifying 500,000 Members About May 2023 Data Theft
Credit Union Issues Belated MOVEit Data Breach Notification
The Texas Dow Employees Credit Union is notifying members their data was affected by the May 2023 MOVEit mass hacking event. (Image: Shutterstock)

Fifteen months after a massive supply-chain attack hit users of MOVEit secure file-transfer software, a credit union is issuing a data breach notification to victims.

See Also: Infographic: Financial Services Identity Security By the Numbers

Texas Dow Employees Credit Union said in a report filed Friday that it's notifying 500,474 individuals that their name and various personal details were exposed in the May 2023 attack on its MOVEit software.

The Lake Jackson, Texas-based credit union's website says it's the largest credit union in the Houston area and fourth largest in the state, with over $4.8 billion in assets and 387,000 members.

The financial institution said on its website that it discovered on July 30 "that certain files containing personal information of TDECU members were potentially removed from MOVEit by the bad actor between May 29-31, 2023."

Affected data includes full names in combination with date of birth, Social Security number, account and payment card numbers as well as government ID numbers such as driver's license.

The credit union said it confirmed only last month that customers' personal information was exposed. It didn't immediately respond to a request for comment on why it needed 14 months to reach that conclusion.

Multiple states require organizations to notify them about a breach "as expeditiously as practicable," and typically no later than 30 days after determining that a breach did or may have occurred. Per TDECU's published timeline, the credit union determined less than 30 days ago that a breach occurred.

The U.S. National Credit Union Administration requires that "all federally insured credit unions must notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident." But those rules only came into effect in September 2023.

TDECU was one of many organizations who used Massachusetts-based Progress Software's MOVEit secure file-transfer software and lost data. Around May 27, 2023, the ransomware group Clop - aka Cl0p - launched a massive and likely highly automated supply-chain attack against MOVEit users. The campaign, which seemed to only run for a few days, involved Clop exploiting a zero-day vulnerability in the MOVEit software to steal data being stored by organizations who use the software.

On May 31, Progress Software alerted customers to the campaign and issued a patch to fix the flaw, tracked as CVE-2023-34362. "When we discovered the vulnerability in MOVEit Transfer, we worked quickly to provide initial mitigation strategies, deployed a patch on May 31 (within 48 hours of discovery) that fixed the vulnerability and communicated directly with our customers so they could take action to harden their environments," a spokeswoman told Information Security Media Group.*

Clop didn't appear to encrypt or delete any of the targeted MOVEit servers, instead solely exfiltrating data and then extorting victims. The group netted an estimated $75 million to $100 million from a few very large victims in return for a promise they would delete stolen data, said ransomware incident response firm Coveware.

As of late June, the count of organizations affected directly or indirectly by the attack stood at over 2,770, leading to information about more than 95 million individuals being exposed, said security firm Emsisoft.

The most-affected sectors have been education, accounting for 39% of known victims, followed by healthcare at 20% and financial and professional services at 13%, it said.

Victims included IT consultancy Maximus, ShellOil, healthcare software vendor Welltok, Delta Dental of California, Nunace Communications, Gen Digital - specifically its Avast cybersecurity division - as well as state government agencies in Colorado, Louisiana, and Oregon.

The U.S. Securities and Exchange Commission recently dropped an investigation into Progress Software over the breach (see: Feds Drop Probe Into Progress Software Over MOVEit Zero-Day).

Progress previously told investors it's also "cooperating with several inquiries from domestic and foreign data privacy regulators, inquiries from several state attorneys general" as well as an investigation by a federal law enforcement agency that hadn't named Progress Software as a target.

Hundreds of proposed class-action lawsuits have also been filed against Progress Software, and consolidated into a single suit in the U.S. District Court for the District of Massachusetts.

*Update Aug. 29, 2024 07:42 UTC: This story has been updated with a statement from Progress Software and to clarify timing.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.