Off the record, many credit unions, including billion-dollar institutions, had told us that indeed they had DDoS mitigation capabilities to handle run-of-the-mill attacks launched by ex-employees, terribly unhappy members, or would-be extortionists. These usually are fairly low force attacks and defense is fairly simple.

Defending against the high-velocity, nation-state level DDoS attacks is a different matter. The belief has been that only a handful of money center financial institutions had the resources on hand to defend themselves but nobody else really needed that level of protection, or so the thinking went.

Something has changed and what very well may have changed is that the big FIs have gotten good at deflecting nation state DDoS with minimal downtime. They have contracted with the mitigation companies, they have bought the mitigation appliances, they have arranged for redundant Internet broadband (often having arrangements with three providers). And so they were ready.

Smaller institutions are not ready.

That point is made vivid in a recent report, “A Study of Retail Banks and DDoS Attack,” sponsored by Corero Network Security. The full document is here.)

In an interview, Marty Meyer, CEO of Corero, a DDoS mitigation appliance maker in Hudson, Mass., said that in the survey of 351 banks, 48% said they had suffered multiple DDoS attacks in the prior 12 months and 78% said they expected DDoS attacks to continue or slightly increase in the coming year.

What Meyer said he found worrisome in the data is that “only 17% of the institutions said they were effective at responding to DDoS.”

Many pointed to utterly inadequate defenses such as firewalls as their DDoS response. Firewalls, noted Meyer, were never designed to mitigate DDoS and won't do that job.

Meyer indicated that no credit unions were included in the survey, although “we do have credit union customers, around a dozen.”

For reasons of simplicity the survey – conducted by third-party researchers – focused only on banks, including “some of the largest in the world,” said Meyer, who declined to name names.

Have credit unions had fewer, or more, attacks than banks? Nobody knows. NCUA's current regulations require incident reports only if an event results in a potential compromise of member data and, in classic DDoS, what happens is that the overwhelmed network collapses. But there is no data leakage.

And therefore there is no reporting to NCUA.

Up until last Thursday there was a widespread belief that probably credit unions had many fewer attacks – they generally don't get the hate that banks do – but the UFCU attack has to put the industry on notice that credit unions don't have DDoS immunity. Not anymore.

And they had better begin assembling defenses to guard against what could turn out to be a long spell of high volume DDoS attacks.

If University Federal Credit Union is not safe, who is?