Patelco CU Reported Data Breach in 2023, Affected 181,000 Members

On Sept. 23, 2023, Sophie Jani and her 12-year-old daughter of Sacramento, Calif., received a notice from the $9.7 billion Patelco Credit Union that they were among the 181,507 members who had their personal and banking information exposed by one of its vendors.

The Dublin, Calif.-based credit union disclosed that Progress Software Corp. of Burlington, Mass., previously announced a vulnerability in its MOVEit Transfer application used by Patelco’s vendor Sovos of Atlanta, Ga., which the credit union utilized to deliver services associated with some member accounts. This breach incident did not affect Patelco’s banking systems.

According to class action lawsuits, cybersecurity companies and national media reports, a well-known Russian ransomware cybergang, Clop, began exploiting this vulnerability since late May and early June 2023 and hacked 2,773 organizations – including credit unions and banks – and 95.7 million individuals. However, IT researchers believe that Clop may have been sitting on its MOVEit exploit since 2021, TechCrunch, a leading technology news website, reported.

Although Progress Software patched MOVEit’s three security vulnerabilities last year, the company issued a Critical Security Alert Bulletin on June 25 that disclosed another vulnerability, which enables attackers to bypass authentication and gain access to sensitive data.

It is unknown, however, whether the data breach announced by Patelco last September is connected in any way to the credit union’s June 29 ransomware attack that shut down its online banking systems. The credit union declined to answer questions from CU Times as to whether the June ransomware breach may have been triggered by Clop or another ransomware cybercriminal group. A Patelco spokesperson emphasized that the data breach announced in September did not affect the credit union’s banking systems.

In October 2023, Sophie Jani filed a proposed class action complaint in U.S. District Court in San Francisco arguing that members held the reasonable expectation and mutual understanding that Patelco and its vendors would comply with its obligations to keep members’ personally identiiable information (PII) confidential and secure from unauthorized access. PII typically includes names, addresses, emails, Social Security numbers, account numbers, dates of birth, phone numbers and driver’s license numbers.

“Patelco’s data security obligations were particularly important given the substantial increase in cyberattacks and/or data breaches of major companies before the (Patelco’s) data breach,” the complaint stated.

Throughout June and July 2023, there were multiple national mainstream and trade media outlets that posted reports about the MOVEit vulnerability, which enabled the Russian hackers to steal private and sensitive information from both small and large organizations and lock it up for ransom. Nearly 80% of those organizations were based in the U.S.

Jani’s lawsuit was moved to a U.S. District Court in Boston where litigation is underway for the MOVEit Customer Data Breach, which Tech Crunch called the largest data breach in 2023.

The case’s federal docket lists dozens of plaintiffs and dozens of defendants.

In addition to Patelco listed as a defendant in the MOVEit Customer Data Breach, so is the $4.9 billion Chevron Federal Credit Union in Concord, Calif., the $1.8 billion Franklin Mint Federal Credit Union in Chadds Ford, Pa., TruStage Financial Group in Madison, Wis., TD Ameritrade, Charles Schwab, Genworth Financial, Fidelity Investments Institutional Operations, Bank of America, Union Bank and Trust Co., Umpqua Bank, Midfirst Bank, Valley National Bank, Cadence Bank, the Bank of Canton, Flagstar Bank, Community Trust Bank, Primis Bank, M&T Bank and Wayne Bank.