California CUSO & Illinois Credit Union Report Data Breaches

CUSO Financial Services (CFS) of San Diego, Calif., reported on Monday what it described as an external system breach that affected 75,116 persons. This breach followed a February notification of an email security event that involved CFS data affecting 25,692 persons, according to public filings with the Maine Attorney General’s Office in Augusta.

In addition, the $1 billion Abbott Laboratories Employees Credit Union in Gurnee, Ill., also reported an external system breach notification with the Maine Attorney General’s office on Oct. 18 that affected 36,044 persons. The credit union serves more than 31,000 members.

CFS, a nationwide broker-dealer providing investment services for credit unions, said on Jan. 19, the organization became aware of suspicious activity involving a third-party service provider that CFS uses for archiving communications required by the Financial Industry Regulatory Authority (FINRA).

“An investigation determined that an unauthorized individual accessed one CUSO employee’s account between December 19, 2023 and January 19, 2024,” CFS said in its letter to Maine residents affected by the breach. “We immediately launched a thorough review of the affected account with the assistance of cybersecurity specialists to identify whether any personal information was involved. Our investigation confirmed that information related to you was stored in the affected account. Out of an abundance of caution, we are notifying you of this event.”

The breach, however, was not discovered until Sept. 10, according to the Data Breach Notification.

“Upon learning of the incident, we immediately secured the affected account, reset passwords and engaged cybersecurity specialists to conduct a thorough investigation,” CFS said in its letter. “We have also notified federal law enforcement and continue to work with them.”

The personal information that may have been accessed by bad actors typically includes the name, address, email, account number, date of birth, driver’s license number and Social Security number.

Eight months ago on Feb. 16, CFS mailed a notification letter to its clients about an email security incident.

“On October 20, 2023, CFS learned about an email security event impacting CFS data. Specifically, an email application, Barracuda Networks, had a vulnerability that allowed an unauthorized party to gain access to historical emails and attachments,” the CFS notification read. During an investigation, CFS learned that information from July 5, 2022 related to CFS may have been impacted. The investigation was unable to identify which emails and attachments were viewed or acquired by the unauthorized party. Therefore, CFS is providing you with notice of the event in an abundance of caution.”

CFS said it confirmed that the vulnerability was closed and that no additional data was at risk.

“Additionally, we assessed any potentially impacted accounts to notify affected individuals,” CFS said in its notification letter. “Further, the event was reported to federal law enforcement.”

The 100,814 persons affected by these two incidents were offered free identity theft protection services.

Abbott Laboratories Employees Credit Union (ALEC) said its external system breach occurred on Aug. 2, but it was not discovered until Sept. 23.

“We recently learned that an unknown, unauthorized third party gained access to one ALEC employee email account. Upon discovering the incident, we promptly secured the email account and began an internal investigation,” ALEC wrote in its Oct. 18 notification letter. “We also engaged a forensic security firm to investigate and confirm the security of our email systems. The investigation determined that an unauthorized third party accessed the email account on August 2, 2024, and may have acquired certain information contained in the account.”

The credit union said that it reviewed the contents of the involved email account to determine if it contained any personal information that may have been viewed or acquired by the third party.

“On September 23, 2024, we completed our review and determined that the email account contained some of your personal information,” the credit union said in its notification letter that was sent to 36,044 members.

ALEC said it is taking steps to reduce the risk of this type of incident occurring in the future, including further enhancing its security measures.

“Although we are not aware of any instances of fraud or identity theft involving your information, we are also offering a complimentary one-year membership of Experian IdentityWorksSM Credit 3B,” ALEC said in its notification letter.

READ MORE: CUSO Financial Services Data Breach Notification and ALEC Data Breach Notification