Cyber Incident Victim: Franklin Mint Federal Credit Union

On or about May 31, 2023, Franklin Mint Federal Credit Union, a financial services institution based at 5 Hillman Drive, Suite 100, in Chadds Ford, Pennsylvania, experienced a significant external system breach. The incident, which was characterized as hacking, resulted in the unauthorized acquisition of sensitive personal information. The breach was not discovered until June 28, 2023, nearly a full month after the initial compromise occurred. The investigation into the event determined that the information acquired by the threat actor included the names of individuals in combination with their Social Security Numbers. The total number of persons affected by this data security incident was 140,963, which included individuals residing both within and outside of the state of Maine. Specifically, the breach impacted 37 residents of the state of Maine.

The credit union engaged outside legal counsel in the aftermath of the breach discovery. The entity responsible for submitting the breach notification to the Maine Attorney General's office was Aubrey Weaver, a Partner at the law firm Constangy, Brooks, Smith & Prophete, LLP. The law firm acted on behalf of Franklin Mint Federal Credit Union, with the submitted contact information including a telephone number and an email address for the responsible attorney. The notification was formally submitted to state authorities, detailing the scope and nature of the incident as required by law.

In response to the breach, Franklin Mint Federal Credit Union elected to provide written notification to all affected consumers. The date scheduled for this consumer notification was July 20, 2023. This written notice was also provided to the Maine Attorney General's office, with a copy filed under the name "FMFCU - Regulatory Notification Letter_ME.pdf". The notification process was a direct communication to inform individuals that their personal identifiers and Social Security Numbers had been compromised in the external security breach.

As part of its remedial actions, Franklin Mint Federal Credit Union offered identity theft protection services to all individuals impacted by the incident. The services were provided through the firm Kroll. The offering included a comprehensive suite of identity protection services for a duration of twelve months. These services specifically encompassed credit monitoring to alert individuals to changes in their credit reports and up to one million dollars in coverage for identity theft insurance. This insurance was designed to provide financial reimbursement for costs associated with recovering from identity theft, such as legal fees or lost wages. The offering of these services was a central component of the organization's response to mitigate potential harm to the affected consumers.

The breach represented a significant data security event for the financial institution, impacting a substantial number of individuals. The compromised data, particularly the combination of names and Social Security Numbers, is considered highly sensitive as it can be used for identity theft and financial fraud. The delay between the breach occurrence and its discovery on June 28, 2023, indicates the breach was not immediately apparent to the organization. The subsequent period between discovery and the planned consumer notification on July 20, 2023, was used for investigation and to coordinate the response effort, including the arrangement of protection services with the third-party provider. The incident was formally reported to the appropriate government agency as a required disclosure under state breach notification laws.