Cyber Incident Victim: Veridian Credit Union

On May 3, 2023, Veridian Credit Union filed a formal notice of a data breach with the Maine Attorney General. This filing followed an investigation into a security incident where the credit union determined that a hacker had successfully obtained unauthorized access to its online membership application process. The breach did not involve a direct intrusion into the core accounts of existing members but rather exploited a specific digital service intended for new member enrollment. The incident resulted in an unauthorized third party gaining access to the personal information of 12,996 individuals. The compromised data included sensitive consumer information such as names, addresses, Social Security numbers, and dates of birth. Furthermore, the breach exposed highly specific financial data, including account numbers and loan numbers held by the affected individuals at other financial institutions, indicating the scope of the compromise extended beyond Veridian's own customer base.

The mechanism of the attack involved the fraudulent use of Veridian’s online application system to pull credit reports. According to the company's filing, hackers input consumer information they had previously obtained from other, unknown sources into the credit union’s application portal. This action fraudulently initiated the process of generating a credit report in the victim’s name. The credit reports themselves, which are typically generated as part of a legitimate membership application to assess eligibility, then served as a source of new and additional information for the attackers. This technique effectively allowed the hackers to use Veridian’s own systems as a tool to harvest and verify a richer set of stolen data on their victims, compounding the initial data theft from other sources.

Upon discovering that this security incident had occurred and that sensitive consumer data had been made available to an unauthorized party, Veridian Credit Union initiated a review of the affected files. The purpose of this internal review was to determine the precise nature of the information that was compromised and to identify the specific consumers who were impacted by the event. The company’s investigation confirmed that the breached information varied from individual to individual but consistently involved a combination of core personal identifiers and external financial data. The inclusion of account and loan numbers from institutions other than Veridian highlighted the particular risk to victims, as this information could potentially be used for fraudulent transactions or account takeovers elsewhere.

On May 3, 2023, concurrent with its regulatory filing, Veridian Credit Union began the process of sending out direct data breach notification letters to all 12,996 individuals whose information was compromised as a result of the incident. These letters served to inform the affected persons of the event and the specific categories of their personal information that were exposed. The credit union explicitly advised recipients who did not hold an account with Veridian to not disregard the notification letter, acknowledging that a significant portion of the affected individuals were not its members and that their data was compromised through the application system. This step was a direct response to the confirmed leakage of consumer data and formed the core of the organization's effort to fulfill its legal obligations and inform those at risk.

The impact of the breach was significant due to the highly sensitive nature of the exposed data. Social Security numbers and dates of birth are considered prime information for committing identity theft, as they are fundamental to opening new lines of credit, filing fraudulent tax returns, or obtaining government benefits in a victim’s name. The exposure of account and loan numbers from other financial institutions elevated the threat level, creating a direct risk of financial fraud against existing bank accounts or loans. This combination of data elements provided potential attackers with a substantial toolkit for causing financial and personal harm to the affected individuals. The breach affected a defined number of people, but the value of the stolen data meant the consequences for victims could be severe and long-lasting.

Veridian Credit Union is a established financial institution originally founded in 1934 as the John Deere Employees Credit Union. Headquartered in Waterloo, Iowa, the company operates a network of more than 30 physical branch locations across Iowa and Nebraska. Beyond its regional footprint, it serves clients nationwide through its digital banking products and services. Membership eligibility is extended to anyone living or working in Iowa or Nebraska, as well as to individuals who have immediate family members who are already Veridian members. The organization employs more than 833 people and generates approximately $187 million in annual revenue. The breach incident involved a segment of its operations separate from its core transactional banking systems, specifically targeting its online application infrastructure. The response to the breach, including the regulatory filing and consumer notifications, was managed through its corporate security and legal channels following the discovery and investigation of the fraudulent activity.