1 million consumers are victims of credit union ransomware attack

Img

A Bay Area credit union the suffered a ransomware incident earlier this year has revealed over one million consumers were affected.

Patelco Credit Union last week updated its initial assessment of 726,000 consumers impacted by the hack to 1,009,472 people, according to a notice with the Office of the Maine Attorney General. The lender detected the intrusion on June 29, and a subsequent investigation revealed an unauthorized party accessed its database for 37 days between May and June.

The initial, smaller estimate of people affected was revealed in August. Following that disclosure the Dublin, California-based Patelco conducted an additional analysis to identify as many affected individuals as possible, it said.

"In order to meet our legal obligations under applicable state data privacy laws following this additional due diligence, we filed amended disclosures with certain regulatory officials," a Patelco spokesperson said in a statement Wednesday.

The cybersecurity event disrupted Patelco's banking systems for almost two weeks following the incident. It's waiving or reimbursing most late fees for July and August, it's told customers. The lender has not revealed which, or if, personally identifiable information was compromised. 

Patelco originated $667 million in loan volume last year, and reported over $2.2 billion in home loan originations in 2021 at the height of the recent refinance boom, according to Home Mortgage Disclosure Act data. Nationwide Multistate Licensing System records show 218 registered mortgage loan originators at the credit union. 

Affected individuals sued Patelco for failing to protect their data in seven separate lawsuits in a California federal court. SIx of those complaints were voluntarily dismissed this summer, while a newer suit was filed Tuesday. It's unclear if Patelco reached settlements with those plaintiffs, and the lender didn't immediately respond to that question Wednesday. 

The credit union is continuing its offer of complimentary credit monitoring for affected current or former customers for a two-year period, through Nov. 19. Companies affected by cyber security incidents usually extend such services to impacted individuals for a 12-to-24 month period. 

After a spate of hacks of the industry's largest players last winter, few lenders have revealed data breaches in recent months. Lawsuits against financial institutions over those incidents remain pending.

Those complaints, and costs to clean up data breaches, easily reach into millions of dollars. Loandepot in August revealed its accrued $27 million, primarily as part of reaching a settlement, in a proposed class action complaint over a hack in January that affected over 16 million consumers.


More From Life Style