MOVEit saga drags on as credit union discloses 100K victims


University Federal Credit Union has admitted a data breach related to this year’s hack of the third-party MOVEit software. The disclosure adds yet another organization to the tally of victims of the cyberattack, which is claimed by the Russia-based Cl0p group.

The notorious ransomware gang had previously listed University Federal Credit Union as one of its victims back in July. Now, that appears to have been borne out by a statement from the organization issued to customers on October 10th.

The union said it confirmed that a breach had occurred following a four-month investigation. It was tipped off by MOVEit at the time of the original attack by Cl0p in May.

“We received notice from one of our vendors, MOVEit, that they experienced a global data security event that allowed unauthorized users access to data stored on their software platform,” said the union.

It notified the attorney general in Maine, which imposes strict reporting requirements on data breaches affecting any of its residents, of a breach potentially affecting 102,650 people that exposed financial account and credit and debit card numbers.

However, the union told affected clients that to the best of its knowledge it has “no evidence that any of your information has been used to commit financial fraud.”

That said, it’s also widely understood that such data can and will be used to commit online crimes relating to fraud and identity theft, meaning tens of thousands more Americans must now join the estimated millions already deemed to be at risk from the Cl0p attack.

The union has offered affected parties a year of free identity theft protection services, and urges customers to remain vigilant to the possibility of future attacks leveraging the exposed data.

“We will continue to actively monitor this situation,” it added. “Please remember to remain vigilant in reviewing your financial account statements and credit reports for fraudulent or irregular activity on a regular basis.”