Patelco Credit Union warns customers it suffered a data breach after personal data was stolen in a RansomHub ransomware attack earlier this year.

Though the organization did not name the attackers, the RansomHub gang claimed responsibility on August 15, 2024, when they published all of the stolen data on their extortion portal.

Patelco is an American not-for-profit credit union that provides financial services, including checking and savings accounts, loans, credit cards, insurance plans, and investments, with assets exceeding $9 billion. 

Last month, the company disclosed it suffered a ransomware attack on June 29, 2024, that forced it to shut down customer-facing banking systems to contain the damage and protect people's data.

The system outage lasted for approximately two weeks while the organization restored most of the functionality of its IT systems.

At the time the incident was disclosed, Patelco had not determined if data had been compromised in the attack, but the investigation revealed that the threat actors stole customer data.

"The investigation revealed that an unauthorized party gained access to our network on May 23, 2024, leading to access to the databases on June 29, 2024," reads Patelco's data breach notification.

"Following the investigation and a thorough review of the data involved, we confirmed on August 14, 2024, that the accessed databases contained your personal information."

The information that was exposed to cybercriminals varies per individual and may include:

• Full name
• Social Security number (SSN)
• Driver's license number
• Date of birth
• Email address

This matches what RansomHub leaked on its extortion portal on the dark web, where the cybercriminals claim that they have failed to reach an agreement with Patelco after two weeks of alleged negotiations.

According to a listing on Maine's Attorney General Office website, the incident impacted 726,000 Patelco customers.

Recipients of the data breach notices will find instructions on enrolling in a complimentary two-year coverage of identity protection and credit monitoring services through Experian. The enrollment deadline was set to November 19, 2024.

Patelco has also placed a warning banner on its website's homepage, advising members that its team will never contact them directly to request their card details, including their PIN, expiration date, or CVV code.

The risk of phishing, social engineering, and scams is elevated for exposed individuals, who are now advised to remain vigilant against unsolicited communications and malicious attempts.