Texas Dow Employees Credit Union was one of several dozen financial institutions affected by last year’s MoveIt cybersecurity breach, the credit union announced Monday.
The Lake Jackson, Texas-based credit union’s public acknowledgment adds it to a long list more than a year after the breach, which has affected more than 95 million people and 2,700 organizations, according to antivirus firm Emsisoft’s tally from public disclosures and securities filings.
On May 27, 2023, ransomware gang cl0p began its exploitation of an issue within secure file transfer program MoveIt; and MoveIt parent company Progress Software fixed the problem and notified customers within days.
But TDECU didn’t learn that its members were affected by the breach until last month, according to a letter to customers and a notification to Maine’s attorney general.
The notification to Maine’s AG claims that 500,474 people were affected by TDECU’s breach. That’s higher than the 386,000 members the credit union has, according to its website.
An internal investigation revealed that certain files containing personal information of TDECU members were removed by cl0p members between May 29 and 31, 2023.
“That analysis was completed this month and that was when we immediately sent notification letters to potentially affected individuals,” a TDECU spokesperson wrote in an email to Banking Dive.
Impacted data includes full names in combination with dates of birth, Social Security numbers, bank or financial account numbers, credit and debit card numbers, driver license or government ID and taxpayer identification numbers.
It was not the only organization to find out later that it was affected by the breach. In October, Fiserv notified customers that it had fallen victim to the May attack, at which point Flagstar Bank discovered it, too, was a victim – due to its relationship with Fiserv. Flagstar was not a client of MoveIt.
TDECU announced in April its intention to purchase Sabine State Bank and Trust, a bank based in Many, Louisiana. A TDECU spokesperson said the incident is not expected to affect its acquisition of Sabine, “which is still on track to be completed in early 2025.”
That is not always the case. Mike Manske, director of strategic advisor West Monroe’s cybersecurity practice, told Banking Dive that cybersecurity issues “present significant risks to bank M&A deals, with the potential to impact deal valuation, regulatory approval, integration processes, and overall transaction success.”
“A breach can lead to substantial financial losses from regulatory fines, legal fees, and remediation costs, often forcing buyers to reconsider deal terms or, in extreme cases, causing deals to fall through entirely,” he said. “Additionally, potential liabilities and compliance risks from data breaches may reduce the overall value of the acquisition, while the reputational damage can erode customer trust and compromise both the target and acquiring bank's market position.”
Neither Sabine State Bank nor its state regulator, the Louisiana Office of Financial Institutions, returned requests for comment. Neither did the National Credit Union Administration.