Cyber Incident Victim: Quorum Federal Credit Union

On or around May 28, 2023, Quorum Federal Credit Union, a financial services institution based at 2500 Westchester Avenue, Suite 411, Purchase, New York, 10577, experienced a significant data security incident. The breach event was active for a three-day period, lasting from May 28, 2023, to May 30, 2023. The incident was not discovered immediately; instead, it was identified nearly a month later on June 20, 2023. The discovery initiated an internal investigation to determine the full scope and impact of the unauthorized access to its systems. The credit union engaged outside counsel from the law firm Baker & Hostetler LLP to manage the response and notification process, with Marcus McCutcheon serving as counsel and the primary point of contact for regulatory reporting.

The investigation determined that the breach resulted in the acquisition of sensitive personal information belonging to a total of 17,054 individuals. This figure represented the total number of persons affected across all jurisdictions, including 23 residents of the state of Maine. The compromised data was classified as personal identifiers in combination with financial information. Specifically, the information acquired included individuals' names coupled with their financial account numbers or credit/debit card numbers. Furthermore, this financial data was compromised in combination with the corresponding security codes, access codes, passwords, or personal identification numbers (PINs) for those accounts, significantly increasing the potential risk of fraud and identity theft for the impacted individuals.

In response to the confirmed exposure of highly sensitive data, Quorum Federal Credit Union decided to offer complimentary identity theft protection services to all affected individuals. The services were provided by the firm Kroll and included a comprehensive suite of features designed to help protect consumers. These features encompassed credit monitoring, which would alert individuals to changes in their credit reports; fraud consultation, providing access to experts who could offer advice on dealing with suspicious activity; and identity theft restoration services, which would provide assistance in the event an individual's identity was actually stolen. The credit union committed to providing these services for a duration of one year at no cost to the victims of the breach.

The formal notification process for consumers was executed through written notice. The letters detailing the incident, the information involved, and the offered protective services were dispatched to all 17,054 affected individuals on July 17, 2023. This date marked over six weeks after the breach's discovery and nearly two months after the initial incident occurred. For the 23 affected Maine residents, the credit union, through its counsel, also provided a copy of the consumer notice and a specific appendix for the Maine Attorney General's office as part of its compliance with state breach notification laws. The submitted documentation included the files titled "Quorum - Adult Model CM.pdf" and "Quorum - ME AG appendix.pdf". The credit union reported that it had not issued any previous breach notifications within the twelve months preceding this incident.