Credit Unions in Florida & Nebraska Hit by Email Data Breaches

The $599 million Floridacentral Credit Union in Tampa, Fla., and the $109 million MembersOwn Credit Union in Lincoln, Neb., reported security incident breaches that involved their email systems, which may have exposed the personally identifiable information (PII) of their members, according to official documents.

Floridacentral reported in public filings with the Maine’s Attorney General that 36,479 persons may have been affected, while MembersOwn did not report the number of persons who may have been impacted, according to a notice the credit union posted on its website.

Floridacentral, which serves more than 45,000 members, said it discovered suspicious activity in one employee email account on July 31 but the actual data breach occurred three months earlier.

“Upon discovering the incident, we promptly secured the email account and began an internal investigation,” the credit union said in its “notice of data breach” letter to members. “Our investigation determined that an unauthorized third party accessed the one email account between April 2, 2024, and April 4, 2024.”

In July, Floridacentral said it discovered that the breached email account contained some PII, but it has not confirmed that a third party actually viewed or acquired the PII. Although the credit union did not specifically list the PII that may have been exposed, it typically includes first and last names, member account number, Social Security number, driver’s license number, date of birth and/or email address.

“We are taking steps to reduce the risk of this type of incident occurring in the future, including enhancing our technical security measures,” Floridacentral said in its notice of data breach letter. “Although we are not aware of any instances of fraud or identity theft involving your information, we are also offering a complimentary one-year membership of Experian IdentityWorksSM Credit 3B.”

On June 13, MembersOwn identified suspicious activity associated with its “email environment,” and immediately implemented its incident response protocols, secured the email environment and hired an independent computer forensic expert to assist with an investigation.

“The investigation found that there was unauthorized access to one (1) email account between June 12, 2024, and June 13, 2024,” the credit union said in its “Notice of Email Security Incident,” which was posted on its website on Oct. 15.

“We conducted a thorough review of this account to identify any personal information present in the account during the unauthorized access. MembersOwn learned that personal information was present in the account on approximately September 3, 2024. Letters were mailed to those individuals for which MembersOwn had addresses,” the credit union said in its notice.

MembersOwn also said it appears that the impacted accounts may have included individuals’ names, and some combination of PII including addresses, Social Security numbers, driver’s license numbers or other state identification numbers, individual health insurance policy numbers, financial account information and payment card information.

The credit union said it has taken proactive measures including resetting passwords for email account and reinforcing multi-factor authentication measures.

“Letters were mailed to individuals for whom MembersOwn has addresses, which contain more information about the incident as well as instructions for enrolling in credit monitoring and identity protection services through Experian,” the credit union said in its statement.

MembersOwn, however, did not report how many individuals or accounts were affected by the data breach. The credit union serves more than 9,000 members.