Back Online, but Not Out of the Woods: CU Ransomware Update

As of last Wednesday, Dec. 13, all credit unions using FedComp as a core processor that were affected by a Nov. 26 ransomware attack are back online, and members of the affected credit unions should have full access to their funds and services, according to a statement from an NCUA spokesperson Monday.

However, for the approximately 60 credit unions whose operations were interrupted, the full recovery process is likely to be “ongoing,” according to the federal agency.

“Each credit union faces unique challenges post-recovery, such as reconciling manual transactions and ensuring all member services are fully functional,” the NCUA spokesperson said. “The credit unions are working to recover from not having access to their core processing and other services that were lost during the attack.”

While details concerning the full scope of the ransomware attack and who was behind it have not been made publicly available, it has been confirmed that the attack targeted Ongoing Operations, a credit union information technology organization and unit of Trellance Cooperative, as well as FedComp, a third-party vendor of Trellance. FedComp is a core processor that moved its hosting business to Ongoing Operations in 2013. On Dec. 7, NCUA Chairman Todd Harper said all the credit unions affected by the FedComp outage were small institutions with $100 million or less in assets.

Ongoing Operations posted a status update on its website, which was last updated on Dec. 7, stating that the incident was “isolated to a segment of the Ongoing Operations network and does not impact Trellance products or services,” and that its “team is diligently working around the clock to minimize service interruptions wherever possible and to ensure the safety of information stored on our systems.”

The NCUA noted that the affected credit unions may still be in the process of reconciling transactions that were handled manually during the outage. One of these is the $52.5 million, Peru, N.Y.-based Mountain Valley Federal Credit Union, which, according to a statement to members posted Dec. 14, was still in the process of posting debit card transactions that occurred and were approved during the downtime. Mountain Valley also said its November monthly statements and e-statements would be delayed as a result of the outage.

According to an earlier statement from Mountain Valley posted Dec. 10, the credit union was contacted by its data processor at 11 p.m. on Dec. 9 indicating that online banking was back up and operational.

The NCUA said it is continuing to monitor the situation and support the affected institutions as they return to full operational normalcy, but noted that it is not receiving daily status reports.

Amid news of the ransomware attack, the NCUA has been renewing its call for congressional action to provide the agency with third-party vendor authority – something the Government Accountability Office, Financial Stability Oversight Council and NCUA’s Inspector General have all recommended.

“It has been over 20 years since the NCUA had the necessary statutory authority to examine third-party vendors for risks such as this one; and as a result, the NCUA’s ability to analyze and assess risks posed by third-party vendors in the credit union system remains limited,” the NCUA spokesperson’s Monday statement read. “Because the world is more interconnected than ever, these types of cyber events will continue to cost credit unions, credit union members and the NCUA time and money. CUSOs and credit union third-party service providers do not have the same level of oversight as bank vendors because the NCUA lacks the statutory authority to directly examine or supervise these entities. Until this regulatory blind spot is closed, thousands of federally insured credit unions, tens of millions of consumers who use credit unions, and trillions of dollars in assets are exposed to high levels of unnecessary risk.”