Cyber Incident Victim: Cross Valley Federal Credit Union

On November 19, 2024, Cross Valley Federal Credit Union, a non-profit financial institution headquartered at 640 Baltimore Drive in Wilkes-Barre, Pennsylvania, experienced an external system breach involving unauthorized hacking activity. The breach remained undetected until December 4, 2024, when the credit union discovered the intrusion. The incident compromised personal identifiers of 17,826 individuals, including two residents of Maine. No additional details regarding the specific systems targeted, methods of intrusion, or duration of unauthorized access prior to discovery were disclosed in regulatory filings. The compromised data included at least one form of personal identifier combined with other elements, though the exact data categories beyond names were not specified in the Maine Attorney General's notification.

Cross Valley Federal Credit Union initiated written notifications to affected individuals on March 13, 2025, approximately four months after discovering the breach. The notification timeline suggests a prolonged investigation period between breach discovery and consumer outreach. Legal counsel Anjali Das of Wilson Elser Moskowitz Edelman and Dicker LLP submitted the breach disclosure to Maine authorities, confirming the credit union offered affected individuals 12 months of identity theft protection services through CyberScout. These services included single-bureau credit monitoring, credit report and score access, and proactive fraud assistance. The credit union did not report any prior breach notifications within the preceding 12 months. Regulatory documentation confirmed the submission of a preliminary notice copy titled "3-23_MAINE_-_Preliminary_AG_Notice_-_Cross_Valley_(15991.01946).pdf" to Maine authorities, though the notice's specific content was not publicly detailed. The breach's operational impact on the credit union's services and any containment measures implemented remained undisclosed in available records.