Cyber Incident Victim: University Federal Credit Union

On or around May 27, 2023, University Federal Credit Union, a financial services organization based in Austin, Texas, experienced a data security breach. The incident was the result of an external system breach, specifically hacking, which exploited a vulnerability in the MOVEit Transfer software. The unauthorized access to the credit union's systems occurred over a period that began on May 7, 2023, and concluded on May 27, 2023. The breach was not discovered until September 15, 2023, nearly four months after the final date of unauthorized access.

The breach resulted in the acquisition of sensitive personal information belonging to a total of 102,650 individuals. This figure included 29 residents of the state of Maine. The specific categories of information that were compromised included the name or another personal identifier in combination with a financial account number or credit/debit card number. Furthermore, this financial information was acquired in combination with its corresponding security code, access code, password, or PIN for the account, significantly increasing the potential for fraud and misuse.

Upon discovery of the breach on September 15, 2023, University Federal Credit Union engaged external counsel to manage the response and notification process. The credit union undertook an investigation to determine the full scope and impact of the incident. The investigation confirmed that the intrusion was made possible by a vulnerability within the MOVEit Transfer application, a tool used for secure file transfers. This vulnerability, which was zero-day at the time of the attack, was widely exploited by a cybercriminal group to gain access to the systems of numerous organizations globally and exfiltrate data.

The organizational response included planning for the mandatory notification of all affected individuals. The credit union determined that written notification would be the method used to inform consumers that their personal and financial data had been compromised. These written notifications were subsequently sent to all 102,650 affected persons on October 10, 2023. The notice provided to Maine residents was filed with that state's authorities as a sample of the communication.

In addition to notifying individuals of the breach, University Federal Credit Union offered mitigation services to help protect those affected from potential identity theft and financial fraud. The credit union arranged for all impacted persons to receive credit monitoring and identity theft protection services, which were provided by Experian. These services were offered for a duration of twelve months at no cost to the consumers. This offering was designed to help detect any suspicious activity related to the misuse of the acquired personal and financial information.

The compromise of financial account numbers in conjunction with their associated security codes and passwords represents a severe risk to the affected individuals, as it provides attackers with the necessary components to conduct fraudulent transactions and potentially gain further access to personal accounts. The delay between the breach occurrence and its discovery, a period of several months, meant that the stolen data could have been available to malicious actors for an extended time before any protective measures could be initiated by the credit union or its members.

The incident at University Federal Credit Union is part of a broader wave of attacks targeting the MOVEit Transfer software vulnerability throughout 2023. The Clop ransomware gang was identified as the threat actor behind this widespread exploitation campaign, which impacted hundreds of companies and millions of individuals worldwide. The gang exploited the vulnerability to gain unauthorized access to databases and file storage areas, from which they exfiltrated large volumes of sensitive data. The attackers then used this data to extort the victim organizations, threatening to publish the stolen information on their dark web leak site if a ransom was not paid.

The response actions undertaken by University Federal Credit Union followed the standard post-breach protocol of investigation, consumer notification, and the provision of protective services. The filing with the Maine Attorney General's office, submitted by counsel Colin Battersby of the law firm McDonald Hopkins, serves as a public record of the event and its impact on residents of that state. The breach notification letter provided to consumers would have detailed the specific information involved in the incident for each individual and provided instructions on how to enroll in the offered Experian identity protection services.

The consequences of this breach for the 102,650 affected individuals include an elevated and prolonged risk of identity theft, account takeover, and financial fraud. The credit union itself faced significant operational, financial, and reputational costs associated with responding to the incident, including the expenses related to the investigation, notification process, and the provision of a year of credit monitoring for a large population. The event underscores the systemic risk posed by vulnerabilities in third-party software and supply-chain attacks on financial institutions and other entities that handle highly sensitive personal data.