More Than a Million People Affected by Patelco Credit Union’s Data Breach

RansomHub allegedly breached the California CU’s systems; FBI issues an advisory to warn organizations about this cyber threat.

Credit/Shutterstock

In an amended public filing, the $9.5 billion Patelco Credit Union reported the personal information of more than one million current and former members and employees had been accessed during a June ransomware attack.

The amended public filing, which reported 1,009,472 persons including 269 Maine residents were affected, was posted by Maine’s Attorney General’s office on Sept. 23. In August, the Dublin-Calif.-based credit union reported 726,000 persons, including 126 Maine residents, were affected by the June breach, according to the credit union’s data breach notification posted by the Maine AG’s office on Aug. 20.

“Following our initial disclosures in August 2024, we conducted additional analysis to ensure we identified as many potentially impacted individuals as possible,” Patelco said in a prepared statement regarding the amended public filing. “In order to meet our legal obligations under applicable state data privacy laws following this additional due diligence, we filed amended disclosures with certain regulatory officials. Regardless of this, credit monitoring is still available to any current or former Patelco Credit Union member who requests it before November 19, 2024.”

Although Patelco reported that the breach initially occurred on May 23, the ransomware hackers didn’t shut down most of Patelco’s online and mobile banking systems until June 29, which led to difficult inconveniences for members. While some members were angry or concerned, other members took the shutdown in stride and supported Patelco’s round-the-clock work to restore its services, which occurred  on July 13.

Although Patelco’s investigation identified unauthorized access to some of its databases, the specific data that was accessed has not been determined.

“Accordingly, we are notifying individuals whose information was in those databases,” Patelco said. “The information in the accessed databases included first and last name with Social Security number, Driver’s License number, date of birth, and/or email address. Not every data element was present for every individual.”

Although the credit union did not reveal the specific ransomware that allegedly breached its system, an outfit identified as RansomHub added the credit union to its Tor leak site in August, according to SecurityAffairs.com, a site that reports on cybercrime.

RansomHub reportedly operates a “ransomware-as-a-service (RaaS) operation,” meaning that the group creates and maintains the ransomware code and infrastructure, and rents it out to other cybercriminals who act as affiliates, according to Tripwire Inc., a Portland, Ore.-based software firm that focuses on security and compliance automation. It is a subsidiary of technology company Fortra.

SecurityAffairs.com also reported that RansomHub allegedly wrote the following on its leak site: “We conducted negotiations for up to 2 weeks, and unfortunately we were unable to reach an agreement. The company’s management doesn’t care about the privacy of customers at all. We auction the sensitive data extracted from their network[,] We will update the data sample in the next few days.”

Patelco did not comment on this reported RansomHub statement.

According to Tripwire, RansomHub is already considered one of the most prolific ransomware groups in existence.

“In its online manifesto, RansomHub says: Our team members are from different countries and we are not interested in anything else, we are only interested in dollars,” Tripwire reported.

On Aug. 29, the FBI along with other federal agencies issued an advisory to warn organizations that RansomHub, since its inception in February 2024, has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, health care and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation and communications critical infrastructure sectors.

“The (criminal) affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise,” the advisory read. “The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique. onion URL (reachable through the Tor browser).”

The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site, according to the advisory.

The cybersecurity advisory provides recommendations for organizations to reduce the likelihood and impact of ransomware incidents.

Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

READ MORE: Data Breach Notice to Members