Cyber Incident Victim: Alogent

On or around May 30, 2023, unauthorized third parties exploited a previously unknown vulnerability in the MOVEit file transfer service. This service was used by Alogent Holdings, Inc., a vendor to Clearwater Credit Union. The exploitation of this vulnerability allowed the unauthorized actors to gain access to files stored on MOVEit systems managed by Alogent. The period of unauthorized access to files containing Clearwater Credit Union data was determined to have occurred between May 30, 2023, and May 31, 2023. The incident was isolated to the MOVEit system maintained by Alogent and did not involve any unauthorized access to Clearwater Credit Union's own internal systems or customer accounts.

Clearwater Credit Union was notified of the security incident by its vendor, Alogent, on June 14, 2023. Upon discovery, Alogent and Clearwater promptly initiated internal investigations into the nature and scope of the breach. Clearwater also obtained legal counsel and notified law enforcement authorities. As part of its investigation, Alogent provided Clearwater with a list of files that had been accessed and acquired by the unauthorized third parties. This list was delivered on or around June 14, 2023.

Following receipt of the file list from Alogent, Clearwater conducted a comprehensive review of the identified documents to determine what specific data was involved. The review confirmed that the accessed files contained personal information belonging to certain Clearwater members. The credit union then worked to locate current contact information for all affected individuals. The personal information exposed varied by individual but included data elements sufficient to warrant notification and the offering of protective services.

The incident affected a limited number of individuals. A precise total was not disclosed in the notification, but it was confirmed that the personal information of seven New Hampshire residents was involved. Notifications to all affected individuals, including these residents, were sent via first-class United States mail on June 30, 2023. Each notification letter included an offer of complimentary credit monitoring and identity theft protection services through a one-year membership to Experian IdentityWorks Credit 3B. This service provides daily credit monitoring of reports from all three major national credit bureaus, identity restoration support, and up to $1 million in identity theft insurance.

The response actions taken by Clearwater Credit Union focused on notification and support for affected individuals. The organization worked with its vendor, Alogent, to ensure steps were being taken to further secure member information moving forward. Clearwater stated it was not aware of any actual fraud or identity theft to any individual as a direct result of this incident at the time of the notification. The letter to members provided information on additional steps they could consider, such as reviewing account statements, placing fraud alerts, or instituting credit freezes with the three major credit reporting agencies. The incident was reported to the New Hampshire Attorney General’s office in compliance with state law, and a sample of the consumer notification letter was provided as part of that submission.