Cyber Incident Victim: Boeing Employees Credit Union
Date:
Jun 2022
Location:
United States of America
Summary
Boeing Employees Credit Union experienced a third-party data breach when an unnamed printing vendor suffered a network security incident, compromising sensitive member information including names, addresses, account numbers, credit scores, and Social Security numbers. BECU terminated the vendor's services upon discovery, engaged a forensic firm to investigate impacted individuals, and subsequently notified affected members about the unauthorized access to their personal data. The incident highlights risks associated with vendor-related security exposures without direct compromise of the credit union's own systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 6, 2022, Boeing Employees’ Credit Union (BECU) learned of a network security incident involving an unnamed third-party printing vendor that processed member information. The credit union immediately terminated its relationship with the vendor upon discovery. The vendor subsequently confirmed that unauthorized parties had accessed sensitive member data stored within its systems. BECU engaged an independent data forensics firm to investigate the scope of the breach and identify affected individuals. The compromised information varied by individual but included names, addresses, account numbers, credit scores, and Social Security numbers. BECU confirmed there was no evidence of unauthorized access to its own internal systems during the incident. On July 25, 2022, BECU filed official breach notices with government agencies and began mailing notification letters to impacted members. The letters detailed the specific types of personal information exposed for each recipient. BECU did not publicly disclose the total number of affected members or the identity of the vendor involved in the breach. The incident exclusively impacted data entrusted to the third-party vendor for processing purposes.
The breach exemplifies a third-party data compromise where attackers targeted vendor systems rather than BECU’s direct infrastructure. Founded in 1935 and headquartered in Tukwila, Washington, BECU serves over 2,485 employees and generates approximately $936 million in annual revenue across 50+ locations. Membership eligibility extends beyond Boeing employees to include Washington residents, credit union employees, and members of partner organizations like University of Washington alumni associations. Exposed data elements created risks of identity theft and financial fraud for impacted individuals, though BECU’s notification did not specify whether any misuse had occurred. The credit union’s response focused on containment through vendor termination, forensic analysis to determine breach parameters, and regulatory compliance through timely notifications. No additional mitigation measures or member support services were detailed in the public disclosure beyond the distribution of breach notification letters.