Sixty. That is the approximate number of credit unions that experienced “some level of outage” due to a single ransomware attack on a third-party provider earlier this month, according to the National Credit Union Administration (NCUA). The incident is a reminder of the importance of heeding warnings about cyber risks and taking appropriate safeguarding measures.
NCUA Media Relations Manager Joseph Adamoli confirmed the incident in a statement provided to Dodd Frank Update and other media outlets, noting the agency’s efforts to coordinate with the affected credit unions. The agency also stressed the fact that member deposits would be insured by the National Credit Union Share Insurance Fund up to $250,000.
In a follow-up statement, the agency reported all affected credit unions were “fully operational and serving member needs” as of Dec. 13 and provided an update on the affected credit unions’ fiscal health.
“The credit unions have sufficient liquidity to meet the cash and payment needs of their members; members have access to their funds and to ATMs,” Adamoli noted.
The initial attack occurred at Ongoing Operations, a subsidiary of Trellance Cooperative Holdings, Inc., in what the company called “an isolated cyber security incident” in a press release.
“Once we identified the incident, we immediately began working with our IT staff and engaged third-party forensic specialists to investigate the nature and scope of the incident,” the release states. “This incident is isolated to a segment of the Ongoing Operations network and does not impact Trellance products or services. Our team is diligently working around the clock to minimize service interruptions wherever possible and to ensure the safety of information stored on our systems. We will notify impacted individuals once we confirm the scope of the incident.”
Mountain Valley Federal Credit Union (MVFCU) was among the roughly 60 credit unions impacted by the attack. In a letter to members, the company’s CEO Maggie Pope explained that the attack reached the credit union via a breach at the company’s computer systems provider and the issue was brought to her attention by the company’s data processor, FedComp Inc.
“Trellance has indicated that our member information has not been affected by this incident. Because of this, Trellance must move to a new server system,” Pope said in the letter. “This process does take time as there are multiple steps involved. This is not just an MVFCU issue, it is nationwide. Trellance and FedComp have been working around the clock to get our systems along with other credit unions around the country that have experienced the same issue back online.”
Per a final rule that took effect Sept. 1, credit unions must notify the NCUA of a cyberattack within 72 hours of it being identified. Within 30 days of the rule’s effective date, NCUA Chairman Todd Harper said the agency received 146 incident reports – a total more closely resembling what the NCUA typically sees in an entire year rather than a month.
In August, the NCUA warned entities that it was witnessing an increase in cyberattacks against credit unions, credit union service organizations (CUSO) and third-party service providers supplying financial services products.