Federal Credit Union Cyberattack

Introduction

A federal credit union in South Carolina was breached back in September 2024, which wasn’t discovered until a few months later. The FCU suffered a cybersecurity attack that exposed information of over 240,000 of its members across multiple states. This is yet another example that a massive credit union can fall victim to a cyberattack, regardless of their assets. Both big and small financial institutions are constantly at risk of cybersecurity issues.

While the exact method of the cyberattack wasn’t disclosed, it can be assumed that it was due to a ransomware attack. There are plenty of ways that ransomware can be inserted into a credit union or bank’s system, usually revolving around social engineering. With the steady increase in bad actors sending emails, making phone calls, and even sending texts, some people fall victim to these things.

The Sensitive Information

Back in September, the hacker group called Nitrogen was able to steal over 650 GBs of customer data. This data included:

• Social Security Numbers
• Driver’s License Information
• Date of Births
• Financial Account Information
• Credit and Debit Card Information

The sheer sensitivity of this information has caused great concern for many people. This sort of breach can lead to a lot of identity theft, impersonations, and more. Not only that, but bad actors can use this information to socially engineer those closest to those victims.

It is up to the credit union to protect their customers. Usually, when this happens, establishments will provide those effected with identity theft protection and counseling. It is the responsibility of the FCU to remediate these problems and help their affected members find proper assistance. Additionally, it is apparent that the credit union isn’t doing enough to protect their members in the first place.

Preventing Cyberattacks

There are plenty of ways that the FCU could have prevented this breach in their network. The fact that the hacker group managed to get social security numbers and driver’s license information alone is quite bad. This information should never get to bad actors, even if they manage to infiltrate a company’s network. As such, there are a few things that can be done to prevent this from happening.

Security Awareness Training

When it comes to cybersecurity, humans are the biggest risk that a company can have. With security awareness training, this can lower the likelihood of an employee falling for social engineering. Employees can not only attend security awareness classes, but they can also be sent simulated phishing attempts. These can be emails, but they can extend to vishing and smishing as well, with phone calls and text messages.

Penetration Tests

There are many types of penetration tests, including external penetration tests and internal penetration tests. An external pen test is a simulated attack on a network that uses real-world methods, attempting to get into the network. An internal penetration test, which is likely what would have prevented the leaked information, is a test to see what bad actors can get to after getting into the network. These are usually requirements by the government, so it’s important to know the regulations of these things.

Tabletop Testing

When it comes to problems and disasters that might happen, like a big hack, it’s important to know what everyone should do and how things are handled. Policies and procedures should dictate how to respond to these issues that arise. They can include ransomware and other various cybersecurity issues, but they also include natural disasters like fires or bad storms.

Conclusion

The cyberattack at the FCU compromised over 240,000 of its members, where hacker group Nitrogen stole social security numbers, driver’s license information, and more. These things should never be able to be taken and it may be difficult for these many victims to be completely safe. It is up to the credit union to provide identity theft protection and various other assistance for this attack getting through.

It’s always important to follow government regulations when it comes to cybersecurity and information security. Examiners will often check for these things, but some of them can be lax. It is the business’s responsibility to do everything they can to protect their customers and members, regardless of these regulations. Whenever something is ignored, that’s when disaster strikes.