Fairmont Federal Credit Union (FFCU) has informed hundreds of thousands of people about a devastating breach that exposed everything from names to PIN numbers and healthcare data. The kicker? Attackers obtained the data nearly two years ago.
The credit union informed customers of a data breach that the FFCU discovered in late January 2024. Information that the FCCU submitted to the Maine Attorney General’s Office revealed that the 2023 data breach exposed over 187,000 individuals.
After launching an investigation, the company learned that attackers breached its systems nearly half a year prior, roaming FFCU’s network from September 30th, 2023 through to October 18th, 2023.
“As part of the investigation, FFCU engaged external cybersecurity professionals who regularly investigate and analyze these types of situations to help determine the extent of any compromise of the information on the FFCU network and conducted a manual review,” FFCU’s data breach notice said.
The investigators did not appear to hurry with their conclusions, as, according to FFCU, the company didn’t find out what type of data was stolen until August 2025, two years later. What makes matters worse is the enormous extent to which attackers have accessed personal details.
According to the FFCU’s data breach notice, the exposed details include: full names, dates of birth, addresses, Social Security numbers, US Alien registration numbers, passport numbers, driver’s license or state ID numbers, military ID numbers, tax ID numbers, non-US national ID numbers, financial account numbers, routing numbers, financial institution names, credit card/debit card numbers, security code/PIN numbers, credit card/debit card expiration dates, IRS PIN numbers, treatment information/diagnosis, prescription information, provider names, MRN/patient IDs, Medicare/Medicaid numbers, health insurance policy/subscriber numbers, treatment cost information, full access credentials, security questions and answers, and digital signatures.
FFCU noted that not all data elements were impacted for every individual, meaning that the extent varies from person to person. However, the gigantic list of exposed data suggests that attackers had extensive access to files containing critical customer information.
The exposed information enables attackers to carry out numerous malicious activities, ranging from complete medical identity theft to targeted phishing attacks and financial fraud. Not only could attackers remotely verify victims’ identities, but they could also use payment card details for illicit purchases and health insurance details to obtain prescription drugs.
What’s worse, medical health details cannot be changed, like a payment or an ID card, which means victims will have to deal with an elevated risk of medical identity theft for the rest of their lives.
The FFCU noted that the company is not aware of any incidents of identity theft or financial fraud related to the attack and said it will provide victims with complimentary identity theft prevention services.
While FCCU doesn’t specify what type of cyberattack it had to deal with, the dark web monitoring service Ransomware Live indicates that now-defunct ransomware cartel BlackBasta targeted the company. The estimated attack date, October 18th, 2023, coincides with the date provided in FCCU’s data breach notice.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked