Not only did hackers penetrate Carter Credit Union’s network, but they also got their hands on virtually every possible data point the financial institution had on its customers.
Carter has begun reaching out to tens of thousands of customers whose data may have been impacted by a data breach. According to the credit union’s breach notice, attackers roamed its systems for several days, from June 25th through July 2nd, 2025, when the intrusion was detected.
The company claims that it launched an investigation immediately after learning about the incident. Law enforcement was also notified, and third-party cybersecurity experts are assisting Carter with the investigation.
Information the credit union submitted to the Maine Attorney General’s Office revealed that over 68,000 people were impacted by the attack. Since Carter claims to have over 45,000 clients, the breach likely impacted past customers or current customers’ beneficiaries as well.
Meanwhile, the scope of the data breach is quite substantive, as attackers may have had access to extremely sensitive personal customer information. According to the credit union’s data security incident notice, which it posted on its website, the stolen details include:
- Names
- Dates of birth
- Social Security numbers (SSNs)
- Driver’s license/state ID numbers
- Passport numbers
- Credit/debit card numbers
- Financial account numbers
- Financial account history
- Retirement/401(k) benefits information
- Limited medical treatment/diagnosis information
- Health insurance information
Having so many personal details leaked opens up numerous ways for malicious actors to exploit them. The most obvious exploitation route is identity theft. With IDs, SSNs, and dates of birth at hand, attackers can attempt to open fraudulent accounts, which can later be used to obtain loans or payment cards, a treasured asset in the cybercriminal underworld.
Meanwhile, access to payment card numbers and account information allows attackers to attempt unauthorized transactions. Since hackers most likely would also have the credit union’s customers’ IDs, they could bypass the identity verification process.
The information accessed by the attackers also allows them to attempt account takeovers, exploit retirement accounts with unauthorized withdrawals, and craft sophisticated social engineering attacks. Malicious actors could easily impersonate financial or medical staff in an attempt to scam victims out of additional information or money.
Healthcare data, such as diagnosis information or health insurance information, is among the most valuable prizes in the cybercriminal underground. Attackers can use diagnosis information to file fraudulent medical claims, which allows them to illegally obtain prescription drugs that can later be sold for profit.
What’s worse with medical detail leaks is that this type of information, unlike an exposed ID or payment card, cannot be replaced. Attackers can dig up old medical data and attempt tailor-made phishing attacks against an individual whose details have been leaked.
As has become customary in similar cases, Carter said it will provide impacted users with identity theft and credit monitoring services free of charge. The company stressed that it has no evidence that attackers exploited the stolen details.
Your email address will not be published. Required fields are markedmarked