Cyber Incident Victim: Lafayette Federal Credit Union

Lafayette Federal Credit Union experienced an external system breach through hacking on September 16, 2024, though the intrusion was not detected until February 5, 2025. The incident compromised personal information for 75,545 individuals, including 118 Maine residents, with attackers acquiring names combined with other unspecified personal identifiers. The credit union, headquartered at 2701 Tower Oaks Boulevard in Rockville, Maryland, engaged legal representation through Polsinelli PC shareholder Alexander Boyd to manage breach notifications. Written notifications were dispatched to affected consumers on March 20, 2025, with Maine residents receiving a specific redacted notice document titled Adult_1_YR_CM(102500597.1)_Redacted_(1).pdf. No prior breach notifications had been issued by the financial institution within the preceding 12-month period.

In response to the breach, Lafayette Federal Credit Union offered 12 months of identity theft protection services through Experian's Credit3B Identity Works Protection Services, encompassing credit monitoring and identity theft mitigation. The organization categorized the incident as an external system breach without disclosing technical details about attack vectors, containment procedures, or operational disruptions. The four-month gap between breach occurrence and discovery indicates delayed detection capabilities, though no evidence suggests ongoing unauthorized access beyond the initial compromise date. Impacted individuals received remediation services but no public documentation specifies whether financial data, Social Security numbers, or account credentials were exfiltrated alongside names and associated identifiers. The credit union fulfilled regulatory obligations by reporting the incident to the Maine Attorney General's office through its legal counsel while maintaining standard breach notification protocols for affected parties.