Patelco's Data Breach Affected 726,000 People

In a public filing, the $9.5 billion Patelco Credit Union in Dublin, Calif., revealed last week the personal information of 726,000 current and former members and employees had been accessed during a June ransomware attack.

What’s more, in a separate public notice filed on Friday, the $4.8 billion Texas Dow Employees Credit Union in Lake Jackson, Texas showed that on July 30, personal information of 500,474 members was potentially removed from a third-party MOVEit file transfer software breach in May 2023. The credit union currently serves 376,092 members.

Although Patelco CU President/CEO Erin Mendez announced Aug. 20 that the credit union’s investigation confirmed the June 29 ransomware attack accessed databases, which contained the personal information of current and former members and employees, she did not say how many current and former members and employees may have been affected.

However, shortly after Patelco’s Aug. 20 announcement, the office of Maine’s Attorney General posted a data breach notification that included the 726,000 number. The credit union currently serves 507,422 members.

Ransomware hackers shut down most of Patelco’s online and mobile banking systems on June 29, which led to difficult inconveniences for members. While some members were angry or concerned, other members took the shutdown in stride and supported Patelco’s round-the-clock work to restore its services, which occurred  on July 13. The information in the accessed Patelco databases included first and last name with Social Security number, driver’s license number, date of birth, and/or email address. Not every data element was present for every individual.

On Aug. 23, TDECU said its investigation revealed on July 30 that certain files containing personal information of TDECU members were potentially removed from a vendor’s software by a bad actor between May 29-31, 2023. The impacted data includes full names in combination with date of birth, Social Security Number, bank / financial account number, credit / debit card number, driver’s license / government ID, and Taxpayer Identification Number.

TDECU used third-party software vendor, MOVEit, to transfer credit union data. In May, the vendor’s software was compromised in a massive attack that affected thousands of organizations, government entities, private businesses, and financial institutions around the world. More than 20 million individuals were affected. Although certain TDECU data may have been viewed or taken by a bad actor as part of this attack, there was no compromise of the credit union’s broader network security.

Following this incident, TDECU launched an investigation that engaged external cybersecurity professionals to help determine the extent of any compromise of the information on the credit union’s network. TDECU said its broader network security was not affected.

However, the credit union’s investigation also discovered that on July 30, 2024, certain files containing personal information of TDECU members were potentially removed from MOVEit by a bad actor between May 29-31, 2023.

TDECU said it is not aware of any incidents of identity fraud or financial fraud as a result of the incident.

“Though this incident did not result from a compromise of TDECU systems, we continually evaluate and modify our practices and controls to enhance the security and privacy of your personal information,” TDECU said in its letter to members.

TDECU did not respond to a request for comment on Monday as to whether this data breach also affected former credit union members and employees.

Both credit unions are offering complimentary credit monitoring services to members.

READ MORE: The Patelco Credit Union and TDECU data breach notification filed with the Maine Attorney General’s office