Patelco's Ransomware Investigation Confirms Member & Employee Information Exposed

The $9.5 billion Patelco Credit Union said Tuesday its investigation confirmed last week that the June 29 ransomware attack accessed databases, which contained the personal information of current and former members and employees.

What’s more, the Dublin, Calif.-based credit union’s investigation also determined an unauthorized party gained access to the credit union’s network on May 23.

Ransomware hackers shut down most of Patelco’s online and mobile banking systems on June 29, which led to difficult inconveniences for its 507,000 members. While some members were angry or concerned, other members took the shutdown in stride and supported Patelco’s round-the-clock work to restore its services, which occurred  on July 13.

When the credit union became aware of the June ransomware attack, it contained the threat by proactively disabling all unauthorized access to its network, restored all data and notified law enforcement. Patelco also launched an investigation and worked with external cybersecurity professionals experienced in handling these types of incidents.

It wasn’t until Aug. 14, however, when the credit union’s investigation determined that the ransomware attack accessed databases containing the personal information of current and former members and employees.

“We recently confirmed that this incident involved unauthorized access to member and team member information,” Patelco President/CEO Erin Mendez wrote in a prepared statement on Tuesday. “We deeply regret that this incident occurred.”

Mendez referred members to review its data breach notice.

“Although the investigation identified unauthorized access to some of our databases, the specific data that was accessed has not been determined,” the notice read. “Accordingly, we are notifying individuals whose information was in those databases. The information in the accessed databases included first and last name with Social Security number, Driver’s License number, date of birth, and/or email address. Not every data element was present for every individual.”

Patelco did not say how many former and current members’ and employees’ personal information may have been exposed.

“The specific data that was accessed has not been determined, but we notified individuals whose information was in those databases and with valid email addresses,” a Patelco spokesperson said. “Additionally, all current and former Patelco members and employees have access to credit monitoring services free of charge.”

The credit union is offering current and former members a complimentary two-year membership of Experian IdentityWorks Credit 3B.

“This product helps detect possible misuse of your personal information and provides you with identity protection services focused on immediate identification and resolution of identity theft,” Patelco’s data breach notice said. “IdentityWorks Credit 3B is completely free to you, and enrolling in this program will not hurt your credit score.”

Since January, six other credit unions have reported data breaches, unrelated to the Patelco issue, to the California Attorney General’s office, which is required by state law.

The AG’s list included the $1.4 billion Ventura County Credit Union in Ventura, the $814 million Community First Credit Union in Santa Rosa, the $1.4 billion OE Federal Credit Union in Livermore, the $6.4 billion Wescom Central Credit Union in Pasadena, the $2.7 billion Orange County’s Credit Union in Santa Ana and the $4.6 billion SAFE Credit Union in Folsom.

These data breach reports are not related to Patelco’s ransomware and data breach incident.

READ MORE: Patelco’s Data Breach Notice