NCUA’s Harper Is ‘Frustrated’ With Ongoing Ransomware Issue

Lack of information. Lack of communication. Lack of authority. On Thursday, NCUA Board Chairman Todd Harper did not hold back his feelings of frustration concerning the ransomware attack that has crippled approximately 60 credit unions around the country.

Not only did Harper provide a more detailed look at the impact of the ransomware attack on credit unions, he also gave details that reveal the attack may have started earlier than the organizations involved have reported.

According to Ongoing Operations, a unit of Trellance Cooperative Holdings, the ransomware attack began Nov. 26 and effectively shut down operations for approximately 60 credit unions. It appears the attack was aimed at Ongoing Operations, a credit union information technology organization acquired by credit union fintech Trellance in November of last year. The attack also targeted FedComp, a third-party vendor of Trellance.

While Ongoing Operations stated its “cybersecurity incident” began on Nov. 26, Chairman Harper said, “Since Nov. 24, the NCUA has been responding to system outages that are affecting member account availability at several credit unions nationwide.”

Harper spoke publically for the first time about the ransomware attacks Thursday during his quarterly media availability with reporters. He said, “All the affected credit unions are small institutions with $100 million or less in assets. Based on our estimates, approximately $912 million in aggregate assets and 93,000 members are affected by the FedComp outage.”

He added, “The NCUA has been in contact with affected institutions since last week and is working directly to help them get their systems and operations back online so members can access their funds. Additionally, the NCUA has been in contact with FedComp, the United States Treasury Department, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, as well as Congress as part of our incident response.”

During his update, Harper took the opportunity to express the need for Congress to renew the NCUA’s third-party authority.

“It has been more than 20 years since the NCUA had the necessary statutory authority to examine third party vendors for risks such as this one,” said Harper.

“As the result, the NCUA’s ability to analyze and assess risks posed by third party vendors in the credit union system remain limited. And when incidents and outages like this one occur, the agency’s lack of authority limits our ability to respond effectively and quickly, which negatively impacts credit unions and their members,” he added. “In fact, the NCUA’s response was delayed by several days due to a lack of direct information from the service providers. Even today, almost two weeks after the first incident report, the NCUA is still unable to determine the full extent of the ransomware attack and the resulting outages and disruptions to FedComp, Trellance and Ongoing Operations, as well as other secondary systems and vendors that utilize these systems to support credit unions.”

According to a statement posted Thursday morning by one of the credit unions impacted by the ransomware attack, Peru, N.Y.-based Mountain Valley Federal Credit Union ($52.5 million in assets, 4,647 members), said its computer systems are up and fully operational. “However, home banking is still down. We are being told again that it should be up some time today.”

Ongoing Operations posted an update Thursday. CU Times compared the organization’s last update which was posted Dec. 2 to the Dec. 7 update and found only a few changes.

The most significant update was the removal of the following sentence from its Nov. 2 statement, which read: “Please know that currently, we have no evidence of any misuse of information, and we are providing notice in an abundance of caution to ensure awareness of this event.” Instead, the organization’s Dec. 7 statement added, “Ongoing Operations will assist impacted credit unions with member notification and will offer complimentary credit monitoring and identity restoration services to those who are impacted.”

Ongoing Operations has said it is not taking media requests for interviews.

Harper and his staff have hope the ransomware attack might come to a resolution soon, but admit they don’t know for sure.

“I think I can speak not only for myself, but also for staff and that we are all indeed frustrated,” said Harper.