60 US Credit Unions Suffer Cyber Attacks

12322814697?profile=RESIZE_400xJust three months after the National Credit Union Administration (NCUA) put into place a final rule requiring federally chartered and federally insured credit unions to notify NCUA of a "reportable cyber incident," about 60 credit unions in the United States experienced outages because of a ransomware attack on an IT provider the institutions use, according to a US federal agency.  The final NCUA rule went into effect on 01 September 2023, requiring that affected credit unions should notify the NCUA "as soon as possible and no later than 72 hours" after the credit union "reasonably believes" the incident has occurred.[1]

A ransomware infection at a cloud IT provider has disrupted services for 60 or so credit unions across the US, all of which were relying on the attacked vendor.  This is according to the National Credit Union Administration, which reported that it is “fire-fighting” the situation with the credit unions downed this week by the intrusion. The NCUA regulates and insures these financial orgs. “I can confirm that approximately 60 credit unions are currently experiencing some level of outage due to a ransomware attack at a third-party service provider.  Member deposits at affected federally insured credit unions are insured by the National Credit Union Share Insurance Fund up to $250,000,” the NCUA spokesperson said.

According to investigators, the unions' IT provider Ongoing Operations was attacked by ransomware a few days earlier that began days of disruption for the union’s clients.  It is believed the cloud provider was infiltrated via the Citrix Bleed vulnerability.

There are a few moving parts here, so here is a quick summary:

  • Trellance: A provider of solutions and services used by credit unions, and the parent company of FedComp
  • FedComp: A provider of software and services that enable credit unions to operate around the world
  • Ongoing Operations: A unit of Trellance, which specializes in disaster recovery and business recovery, providing cloud services to credit unions to ensure that their business activities 'operate without interruption, even when nothing else seems to be going well.'

National Credit Union Administration (NCUA) spokesperson Joseph Adamoli told the media that several credit unions were informed at the start of this month by Ongoing Operations that it had been hit by a ransomware attack.  In an update on its website, Ongoing Operations describes how it experienced the 'isolated cybersecurity incident' on26 November 2023, and 'took immediate action to address and investigate.'"

A blog post earlier this year from Davis Wright Tremaine LLP, titled "NCUA Approves 72-Hour Cyber Incident Reporting Requirement for Credit Unions," broke down the new NCUA rule and its implications:

"The final rule, which amends NCUA's regulations at 12 C.F.R. part 748, defines a 'cyber incident' as 'an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.'"

  • A 'reportable cyber incident' one that must be reported to NCUA within 72 hours means a 'substantial cyber incident' leading to one or more of these outcomes:
  • A substantial loss of confidentiality, integrity, or availability of a network or member information system… that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services… or has a serious impact on the safety and resiliency of operational systems and processes;
  • A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; and/or
  • A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise."

The NCUA is taking a number of steps to address the threat of cyberattacks, including:

  • Issuing cybersecurity guidance: The NCUA has issued a number of cybersecurity guidance documents that provide credit unions with information on how to protect themselves from cyberattacks.
  • Conducting cybersecurity examinations: The NCUA conducts cybersecurity examinations of credit unions to assess their cybersecurity risks and practices.
  • Providing cybersecurity resources: The NCUA provides a number of cybersecurity resources to credit unions, including training materials and threat assessments.


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com   

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/

Website: https://www.redskyalliance.com/

LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings




[1] https://www.secureworld.io/industry-news/60-credit-unions-cyber-attack

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!