Phishing Attack Exposes Personal Info for 14,754 NIHFCU Members

The $825 million, Rockville, Md.-based National Institutes of Health Federal Credit Union (NIHFCU) suffered a security breach back in April that may have put personally identifiable information belonging to 14,754 members into the wrong hands, according to a statement from the credit union.

According to NIHFCU, on April 11, 2023, a breach occurred stemming from a successful intrusion of one of the credit union’s third-party vendor’s email accounts.

“The intruder, fraudulently posing as a legitimate vendor representative, phished unsuspecting individuals including one of our employees. Our associate, unfortunately, clicked on a link, which triggered the dominoes of this security incident. NIHFCU had no way of knowing that the email received from the vendor that day was, in fact, a spoofing email. It was the same employee who later reported the suspicious activity due to changes in their email account,” Michael Stottlemyer, vice president of risk management for NIHFCU, told CU Times via email.

The fraudster gained access to the credit union employee email account for a few hours, during which time they managed to access a document within the account that had been previously circulated via secure channels and contained some sensitive information pertaining to 14,754 members, according to Stottlemeyer. “It is important to note that our investigation confirmed that no other platforms or core data servers were infiltrated, and this incident was isolated to this one email account,” he emphasized.

According to a report filed by the credit union with the Office of the Maine Attorney General, the sensitive information included member names and Social Security numbers. Only six of the affected members live in Maine.

Upon discovering the incident, the credit union said it immediately secured the email account, launched an internal investigation and began working with a forensic security firm to investigate and confirm the security of its email and computer systems. On May 16, 2023, it was determined that the fraudster accessed the document containing the sensitive information, and once the full investigation was complete in early July, the credit union began notifying affected members via a letter that included information on ways to protect themselves against fraud and identity theft.

NIHFCU is offering 14,742 of the affected members complimentary credit monitoring and identify theft protection services, as one or more pieces of non-public data was exposed for those members. The credit union also said it is enhancing its technical security measures. In addition to notifying the Office of the Maine Attorney General, NIHFCU said it notified the NCUA and the respective Attorney General for each state whose residents may have been impacted.

“While our review determined that your personal information was contained in the email account, our investigation did not find evidence confirming that the third party actually viewed or misused any of your personal information, and we are providing this notice out of an abundance of caution,” the member letter, which was posted as an attachment with the Maine Attorney General report, stated.

James McQuiggan, security awareness advocate at the Clearwater, Fla.-based security firm KnowBe4, shared his thoughts on the significance of the breach as well as offered advice to the members impacted.

“Cybercriminals always go for the money, whether it’s digital or paper. This attack is compelling because it’s the money and a government health care banking institution,” McQuiggan said. “Sadly, this is like the trifecta of an organizational data breach, where it’s hitting these three types of industries, all of which are commonly targeted by cybercriminals.”

McQuiggan continued, “With the sensitivity of the data of its customers exposed, they will need to ensure they review their bank account and monitor other credit accounts. However, cybercriminals will likely sell off this data on the dark web to make a quick return on their investments. Cybercriminals who purchase this data will use it for spear phishing or targeted social engineering emails, so the users will also need to be vigilant and skeptical of emails, and verify senders and links to avoid being a victim of their own data breach.”