Did CUNA Ransomware It Well?

February is a month many people just want to get through and out of alive, unscathed or uninjured – so we can continue on and get back to the business we need to do for the rest of the year.

You could argue that CUNA is having that kind of month.

In the early days of February, Feb. 4 to be exact, we received an announcement from CUNA stating that the organization was addressing what it described as a “cyber incident” and a “business disruption issue.”

Of course, when you put out statements that vague while at least some of your IT systems are offline and your website isn’t fully functioning, it immediately raises questions that these statements aren’t answering and signals that something more significant is happening.

That seemed apparent since CUNA also made a point to say it was working with the FBI and that “CUNA does not store Social Security numbers or credit card numbers of our members.”

To be fair, having the FBI involved isn’t unusual when it comes to cybersecurity problems (a.k.a. getting hacked), but CUNA didn’t admit or clarify that the organization had been hacked or compromised; it only stated that it was a “cyber incident.”

But, the giant red flag for us came when CUNA mentioned Social Security and credit card numbers. In our experience, organizations tend to mention those items when something potentially sinister is going on.

Despite digging, researching and reaching out to sources, that’s all we heard for three days from CUNA until TechCrunch was first to report that CUNA’s “systems were knocked offline Monday as a result of ransomware,” according to one of its sources.

Our reporters sent that article to CUNA for verification and/or comment. Still no response. Two days later, we were emailed two sentences from CUNA’s vice president of strategic communications, Vicki Christner: “Our investigation has confirmed that this incident was caused by ransomware. As soon as we were able to confirm the cause of the incident, we shared this information with our members.”

Officially, that’s it. The issue has been put to bed. It’s done. Moving on. That was on Feb. 7.

For clarification, ransomware is basically malicious software designed to block and/or shut down computers and servers until money is paid to the hacker(s).

That same week in Rockdale County, Ga., county officials announced they had been hit with a ransomware attack after a county employee clicked on an email attachment. According to the county, roughly 30% of the county’s systems were locked by hackers. While amusing, and something I’d tell my dad to do, the county literally disconnected and unplugged several servers. Because of this ransomware attack, county citizens weren’t able to pay bills or conduct normal county business. To me, this sounds like a “cyber incident” and a “business disruption issue.”

As of this writing, the county hadn’t paid the ransomware, but it was preparing for that demand to come.

In this case, who ransomwore it better? CUNA or Rockdale County, Ga.?

Obviously, this is the main difference between public and private organizations and the disclosure rules they follow.

Many public and private entities have purchased cyber insurance especially for instances of if and when there is a ransomware attack. Here’s the thing about cyber insurance – business is great! According to the security firm Emsisoft, the number of organizations hacked by a ransomware attack jumped 41% in 2019 (that’s more than 205,000 organizations that reported a ransomware attack). Experts agree that the number is probably much, much higher than that because private organizations do not have to publicly report any kind of hacking incident.

Cyber insurance companies are on average paying out $84,116 to the ransomware attackers. If you think about it, cyber insurance companies have a strange and possibly gross business model: Profits go up as long as hackers keep hacking. Maybe the cyber insurance industry should have a new slogan? Some ideas: Pay us, so we can pay them; Hacking, it’s good for business; or Extortion, it’s what we do.

That last one was pretty harsh, I agree. And it does kind of get to the complicated core of the cyber insurance/client relationship.

It was reported that one cyber insurance organization, which will go unnamed, posted a list of its clients on its website. Turns out, hackers saw the list and went after those organizations because they knew the likelihood of getting the ransomware paid off was much higher than with an organization without cyber insurance.

Here’s the other thing with cyber insurance teams: They can and do directly negotiate with the attackers on the terms of releasing the information back to the organization. For instance, even if the hackers had compromised all of the personal and payment information inside the hacked servers, the negotiator could strike a deal with the hackers – we’ll pay you if you don’t release the personal information so we can say to the public that no personal information was compromised. I’m oversimplifying here, of course, but that’s the gist of what has and could happen in these types of ransomware situations.

The City of New Orleans, the U.S. Coast Guard, the City of Atlanta, 22 different cities and towns in Texas, Barclays and health care clinics in Michigan and Colorado. These are just some examples of who’s been hit with ransomware attacks in the past handful of months.

Our editorial team filled out the same registration forms as thousands of you did for this year’s Governmental Affairs Conference. Was that information compromised? We don’t know.

What organization was behind the attack? We don’t know. Does CUNA have cyber insurance? Did they pay the ransom? We don’t know. What information was compromised? We don’t know.

To CUNA’s credit, it handled this situation as many other professional crisis public relations experts have done, except for one significant exception: Social media.

During the time this ransomware attack was going on and CUNA said it was communicating with members in the form of a letter from Jim Nussle, you would not have seen any social media posts on any of CUNA’s accounts about the problem. On Feb. 6, there was a post by @JimNussle on Twitter with a photo of the cooperative principles etched into a glass partition at CUNA’s headquarters and a post stating, “Our cooperative ‘super powers’ and principles are so important to us, we carve them into our glass wall.”

The cooperative principles are nice and all. When it comes to “cooperative members believe in the ethical values of honesty, openness, social responsibility and caring for others,” as stated by the International Co-operative Alliance, I’d ask, on behalf of credit union members and my team’s personal information on CUNA’s servers, for more openness as it relates to what happened.

Michael Ogden is editor-in-chief for CU Times. He can be reached at mogden@cutimes.com.