Patelco Loses $39 Million During Last Summer’s Hack
California credit union says most of the loss is related to members overdrawing money during the event.
Patelco Credit Union lost $39.2 million in the third quarter burdened by a $38 million special charge, most of it related to last summer’s ransomware attack and related online outage.
The net loss at the San Francisco Bay-area credit union ($9.5 billion in assets, 506,920 members) was an annualized -1.64% of average assets, compared with ROA of 0.54% in 2023’s third quarter when it earned $12.9 million.
The charge lowered Patelco’s net worth, but not by much. Its net worth ratio stood at a “well-capitalized” 10.44% on Sept. 30, down from 10.78% on June 30.
Rina Johnson, Patelco’s vice president of marketing, said in an email Tuesday that the charge, called a “Miscellaneous Non-Interest Expense” in its NCUA Call Report, was mostly to cover overdrafts by members, and not overdrafts caused by hackers taking money from accounts.
“We did not pay a ransom,” Johnson said.
“The $38 million in Miscellaneous Non-Interest Expense primarily consists of reserves for negative shares, which were caused by members overdrawing their accounts during the system outage,” Johnson added. “We are working with members on an individual basis to help them reconcile their accounts and further support their financial health.”
With the charge, Patelco has “adequately reserved for all expected losses related to the security incident,” she said. “However, the final outcome may not be resolved for an extended period of time and could be different than expected.”
The provision was recorded on the balance sheet under “other liabilities,” Johnson said. The NCUA’s “Accounts Payable, Accrued Interest on Borrowings, and Other Liabilities” rose by $62.3 million, or 85%, from June 30 to Sept. 30.
Patelco has said ransomware hackers breached Patelco’s systems May 23. On June 29, the hackers shut down most of Patelco’s online and mobile banking systems, and it took Patelco until July 13 to restore them.
Patelco disclosed the breach in August. “The information in the accessed databases included first and last name with Social Security number, Driver’s License number, date of birth and/or email address. Not every data element was present for every individual.”
CU Times’ Peter Strozniak reported Oct. 1 that more than one million people were affected by the data breach.
An entity called “RansomHub” took credit for the breach.
Tripwire Inc., a Portland, Ore.-based software firm that focuses on security and compliance automation, reported that RansomHub wrote on its leak site: “We conducted negotiations for up to 2 weeks, and unfortunately we were unable to reach an agreement. The company’s management doesn’t care about the privacy of customers at all. We auction the sensitive data extracted from their network[,] We will update the data sample in the next few days.”
CU Times found Patelco’s loss during a routine check for large losses in NCUA Call Reports filed by Nov. 1.
A check of NCUA data pulled from Callahan’s Peer Suite showed at least eight other credit unions had third-quarter losses greater than $5 million. The losses were found among a sample of credit unions, including all those with first-half losses of more than $2.4 million.
The losses dragged down net worth, but the ratios remained above the 7% threshold for “well-capitalized,” except for one: Excite Credit Union of San Jose, Calif. ($653.4 million in assets, 46,304 members). It lost $5.5 million in the third quarter (ROA -3.32), following a $5.1 million loss (ROA -1.47%) in the first half. Its net worth ratio fell from a “well capitalized” 7.57% on June 30 to an “adequately capitalized” 6.81% on Sept. 30.
The seven other credit unions were:
1. GreenState Credit Union of North Liberty, Iowa ($10.7 billion in assets, 455,892 members), which lost $7.4 million in the third quarter (ROA -0.28), following a $29.7 million gain (ROA 0.54%) in the first half.
2. Connexus Credit Union of Wausau, Wis. ($4.6 billion in assets, 475,604 members), which lost $7.4 million in the third quarter (ROA -0.63), following a $25.7 million loss (ROA -1.02%) in the first half.
3. Michigan State University Federal Credit Union of East Lansing, Mich. ($8.2 billion in assets, 374,591 members), which lost $6.5 million in the third quarter (ROA -0.32), following a $7 million loss (ROA -0.18%) in the first half.
4. General Electric Credit Union of Cincinnati ($4.6 billion in assets, 289,843 members), which lost $6.3 million in the third quarter (ROA -0.54), following an $8.8 million loss (ROA -0.36%) in the first half.
5. Premier America Credit Union of Los Angeles ($3.4 billion in assets, 111,420 members), which lost $5.7 million in the third quarter (ROA -0.64), following a $2.4 million loss (ROA -0.14%) in the first half.
6. Local Government Credit Union of Raleigh, N.C. ($4.1 billion in assets, 413,162 members), which lost $5.7 million in the third quarter (ROA -0.56), following a $9.2 million gain (ROA 0.46%) in the first half.
7. Workers Federal Credit Union of Littleton, Mass. ($2.6 billion in assets, 123,550 members), which lost $5.5 million in the third quarter (ROA -0.87), following a $10.6 million loss (ROA -0.83%) in the first half.
NCUA data also showed that a tiny Midwest credit union lost $11 million in the third quarter, or an ROA of about -250%. The loss was incredible, especially when the Call Report showed that its net worth increased by a few thousand dollars, keeping it well within the company of the “well capitalized,” as usual.
Looking at the Call Report (pulled late Monday) it appeared one of the credit union’s half dozen employees entered the full value of its loan portfolio in the CECL credit loss section, which automatically carried it to the net income line but not to the net worth calculation worksheet.
So the loss appeared to be a mistake at the credit union, which ought to be a predictable outcome for a certain percentage of the more than 4,000 Call Reports the NCUA receives every three months.
The incident occasioned these questions to the NCUA:
- “First can you confirm [the credit union] suffered a paperwork error, but not an $11 million loss?
- Second, how was the NCUA able to post this report?
- Does the NCUA have an automatic system that reads the net income line to ensure that it carries to the net worth?
- Does the NCUA have a system that looks for large losses and other outliers (say, ROA of +/- 100%) so that managers can generate a list of credit unions with unbelievable or extraordinary results that might be worthy of another look-see by staff?”
NCUA said in an email response Thursday that the credit union has since submitted a report correction.
“All call reports for the 9/30/2024 cycle were due on 10/30/2024. Once all call reports for the cycle have been submitted, the NCUA’s Office of Examination & Insurance (E&I) then performs a data scrub of the call report data,” NCUA said.
“The data scrub process is designed to identify potentially erroneous call report filings,” it added. “For the 9/30/2024 call report cycle, the data scrub began on 11/5, as scheduled, and will end on 11/18.”
NCUA said the credit union’s errors described in this article had not yet been analyzed by the data scrub process or its examination staff.
“The NCUA’s data scrub process is why the NCUA, using this cycle as an example, does not release final, 3rd quarter data until early December.”