U.S. credit union says MOVEit data breach impacted more than 500,000 customers

Texas Dow Employees Credit Union, a Lake Jackson, Texas-based financial services company, said the personal and financial information of more than 500,000 individuals was compromised as a result of the Clop ransomware group exploiting a zero-day vulnerability in the MOVEit Transfer web application.

In a recent filing with the office of the Attorney General of Maine, Texas Dow Employees Credit Union (TDECU) said it suffered a cyber security incident after the Clop ransomware gang exploited a zero-day vulnerability in the MOVEit software.

After being alerted by Progress Software, the company launched an investigation, with assistance from external cyber security experts, to understand the scope of the security incident.

“Following our investigation, we discovered on July 30, 2024, that certain files containing personal information of TDECU members were potentially removed from MOVEit by the bad actor between May 29-31, 2023,” reads a notice on TDECU’s website.

The compromised data included full names, dates of birth, Social Security Numbers, bank & financial account numbers, credit & debit card numbers, driver’s license & government IDs, and taxpayer identification numbers.

TDECU’s filing with the Maine state regulator also revealed that at least 500,474 individuals were impacted by the breach.

While TDECU found no evidence of the compromised information being misused, it advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general.

It has also offered one year of complimentary identity protection and credit monitoring services through Experian IdentityWorks to all affected individuals.

The data security incident affected several major organisations globally, with a majority of those located in the U.S. According to German market research company KonBriefing, hackers have used the vulnerability to victimise over 2,600 organisations worldwide, of which 2,290 are based in the U.S., and accessed the information of more than 90 million people so far.