In a recent disclosure to the Maine Attorney General’s Office, the Texas Dow Employees Credit Union (TDECU) has revealed that over 500,000 of its members had their personal information compromised due to a data breach involving the MOVEit file transfer software.
The breach occurred over a year ago but was only discovered in July 2024. It has raised significant concerns about data security and the extended exposure of sensitive information.
According to a notice from the Maine Attorney General’s Office last week, the compromised data includes names, dates of birth, social security numbers, bank account and credit card numbers, driver’s license numbers and taxpayer identification numbers.
TDECU confirmed the breach was isolated to files transferred via MOVEit and that its internal network security remained intact.
TDECU Notification and Support For Affected Members
The company has initiated notification efforts starting on August 23 2024, to inform those affected by the breach.
Despite the credit union offering complimentary credit monitoring services to those whose social security numbers were compromised, the extended duration before the breach at TDECU was detected has drawn criticism and highlighted the need for continuous monitoring and robust cybersecurity practices.
“The fact that TDECU’s breach remained undetected for so long underscores the critical importance of rigorous and continuous patch management,” Darren Guccione, CEO of Keeper Security stated.
“Multiple patches were released following the MOVEit breach, and with any breach of this scope, it is imperative that they be applied promptly. However, applying patches is just one part of the solution – systems must also be continuously monitored for any signs of unusual activity.”
To tackle the effects of the breach, TDECU also advised its members to take preventive measures, such as placing fraud alerts or security freezes on their credit files and closely monitoring their financial statements for any irregular activity.
The MOVEit Breach and its Global Impact
The MOVEit breach, first identified in May 2023, has impacted thousands of organizations globally, with over 20 million individuals affected.
The breach was orchestrated by the Cl0p ransomware group, which exploited a vulnerability in the MOVEit software to exfiltrate data from numerous entities.
Ken Dunham, cyber threat director at Qualys, emphasized that ransomware remains one of the most pervasive and damaging threats in 2024, with the MOVEit incident exemplifying the high stakes involved in data security breaches.
“The MOVEit managed file transfer software vulnerability continues to be discussed due to widespread exploitation,” Dunham noted. “It is critical to apply lessons learned to each organization.”
Adam Gavish, CEO of DoControl, echoed Dunham’s point, adding that the repercussions of the MOVEit breach could persist for months or even years, with stolen data potentially surfacing on the dark web or being used in targeted attacks.
Read more on the MOVEit breach: MOVEit Exploitation Fallout Drives Record Ransomware Attacks
“This situation underscores a critical point [...]: the security of your data doesn’t end at your network perimeter,” Gavish explained. “Companies need to conduct thorough audits of what data they’ve been transferring through MOVEit or similar file transfer services. Understanding what sensitive information might have been exposed is crucial for risk assessment and mitigation.”
Image credit: JHVEPhoto / Shutterstock.com